Netlogin MAC auth not triggering RADIUS

  • 0
  • 2
  • Question
  • Updated 6 months ago
  • Answered
  • (Edited)

Hi,

Believe this was working at some point but can't workout where the issue is, but in summary when an end-system is connected to a MAC auth enabled port (22 in this case) its not triggering the RADIUS exchange. This is showing up in the RADIUS counters on the switch remaining 0, and a TCPDUMP on the RADIUS server (NAC) are showing nothing hitting it?

Everything seems to be enabled and configured correctly from what I can tell, no messages are showing in the switch logs, and the switch has been rebooted?

Here is the config:

AAA Configuration:

configure radius netlogin 1 server 10.23.23.142 1812 client-ip 10.255.5.13 vr VR-Default
configure radius 1 shared-secret encrypted "#$IUJ6KZp7XE/QtheSL51gMgVphQvqTQtWtlcSTGc2"
configure radius netlogin 2 server 10.23.23.12 1812 client-ip 10.255.5.13 vr VR-Default
configure radius 2 shared-secret encrypted "#$6ruCKApEePMNVH5CaJp4MwIyg7tNkJpaqKVmet19"
configure radius-accounting netlogin 1 server 10.23.23.142 1813 client-ip 10.255.5.13 vr VR-Default
configure radius-accounting 1 shared-secret encrypted "#$9+bcdiIS9MEBn1zwdRrI+ROwhz0eYfhA6/dJq9ym"
configure radius-accounting 1 timeout 10
configure radius-accounting netlogin 2 server 10.23.23.12 1813 client-ip 10.255.5.13 vr VR-Default
configure radius-accounting 2 shared-secret encrypted "#$p0z1KNo1/B+DgUPPirDnar+R7NScnzCxeonbJIkH"
configure radius-accounting 2 timeout 10
enable radius
disable radius mgmt-access
enable radius netlogin
configure radius timeout 15
enable radius-accounting
disable radius-accounting mgmt-access
enable radius-accounting netlogin
configure account all password-policy min-length 8
configure account all password-policy lockout-on-login-failures on
configure account all password-policy lockout-time-period 5 minutes



Netlogin Configuration:


configure netlogin vlan nt_login
enable netlogin mac
configure netlogin mac authentication database-order radius
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
enable netlogin ports 20-22 mac
configure netlogin ports 20 mode port-based-vlans
configure netlogin ports 20 no-restart
configure netlogin ports 21 mode port-based-vlans
configure netlogin ports 21 no-restart
configure netlogin ports 22 mode port-based-vlans
configure netlogin ports 22 no-restart
configure netlogin authentication failure vlan Default ports 20-22
configure netlogin authentication service-unavailable vlan Default ports 20-22



Show Radius:

Radius Default State:   enabled
Radius Default Timeout: 15 seconds
Radius Algorithm: standard
Radius Retries: 3
Switch Management Radius: disabled
Switch Management Radius server connect time out: 15 seconds *
Switch Management Radius Accounting: disabled
Switch Management Radius Accounting server connect time out: 3 seconds
Netlogin Radius: enabled
Netlogin Radius server connect time out: 15 seconds *
Netlogin Radius Accounting: enabled
Netlogin Radius Accounting server connect time out: 3 seconds
Radius server     :  1 Status is Active
    host name     :
    IP address    :  10.23.23.142
    Server IP Port:  1812
    Client address:  10.255.5.13 (VR-Default)
    Retries       :  3 *
    Timeout       :  15 *
    Realm         :  Netlogin
    shared secret :  #$IUJ6KZp7XE/QtheSL51gMgVphQvqTQtWtlcSTGc2
Access Requests   :  0          Access Accepts    :  0
Access Rejects    :  0          Access Challenges :  0
Access Retransmits:  0          Client timeouts   :  0
Bad authenticators:  0          Unknown types     :  0
Round Trip Time   :  0
Radius server     :  2 Status is Active
    host name     :
    IP address    :  10.23.23.12
    Server IP Port:  1812
    Client address:  10.255.5.13 (VR-Default)
    Retries       :  3 *
    Timeout       :  15 *
    Realm         :  Netlogin
    shared secret :  #$6ruCKApEePMNVH5CaJp4MwIyg7tNkJpaqKVmet19
Access Requests   :  0          Access Accepts    :  0
Access Rejects    :  0          Access Challenges :  0
Access Retransmits:  0          Client timeouts   :  0
Bad authenticators:  0          Unknown types     :  0
Round Trip Time   :  0
Radius Acct server:  1 Status is Active
    host name     :
    IP address    :  10.23.23.142
    Server IP Port:  1813
    Client address:  10.255.5.13 (VR-Default)
    Retries       :  3
    Timeout       :  10
    Realm         :  Netlogin
    shared secret :  #$9+bcdiIS9MEBn1zwdRrI+ROwhz0eYfhA6/dJq9ym
Acct Requests     :  0          Acct Responses    :  0
Acct Retransmits  :  0          Timeouts          :  0
Radius Acct server:  2 Status is Active
    host name     :
    IP address    :  10.23.23.12
    Server IP Port:  1813
    Client address:  10.255.5.13 (VR-Default)
    Retries       :  3
    Timeout       :  10
    Realm         :  Netlogin
    shared secret :  #$p0z1KNo1/B+DgUPPirDnar+R7NScnzCxeonbJIkH
Acct Requests     :  0          Acct Responses    :  0
Acct Retransmits  :  0          Timeouts          :  0
Legend: An asterisk (*) indicates a global value is in use.

Show netlogin port 22

Port                          : 22
Port Restart                  : Disabled
Allow Egress                  : None
Vlan                          : ELRP-Ctrl
Authentication                : mac-based
Port State                    : Enabled
Auth Failure Vlan             : Disabled
Auth Service-Unavailable Vlan : Disabled
------------------------------------------------
        MAC Mode Port Configuration
------------------------------------------------
Re-authentication period      : 3600
Re-authentication             : Off
Authentication Delay          : 0 seconds (Default)
------------------------------------------------
        Netlogin Clients
------------------------------------------------
MAC                IP address       Authenticated     Type    ReAuth-Timer   User
-----------------------------------------------
(B) - Client entry Blackholed in FDB
Port                          : 22
Port Restart                  : Disabled
Allow Egress                  : None
Vlan                          : Hitchin_VC_1st
Authentication                : mac-based
Port State                    : Enabled
Auth Failure Vlan             : Disabled
Auth Service-Unavailable Vlan : Disabled
------------------------------------------------
        MAC Mode Port Configuration
------------------------------------------------
Re-authentication period      : 3600
Re-authentication             : Off
Authentication Delay          : 0 seconds (Default)
------------------------------------------------
        Netlogin Clients
------------------------------------------------
MAC                IP address       Authenticated     Type    ReAuth-Timer   User
-----------------------------------------------
(B) - Client entry Blackholed in FDB

Number of Clients Authenticated  : 0

Show port 22 information detail:

Port:   22(ARE-RH-L1-10):
        Description String: "VC Reservered Ports"
        Virtual-router: VR-Default
        Type:           UTP
        Redundant Type: NONE
        Random Early drop:      Unsupported
        Admin state:    Enabled
        Copper Medium Configuration:     100M full-duplex auto-polarity on
        Fiber Medium Configuration:      auto-speed sensing  auto-duplex
        Link State:     Active, 100Mbps, full-duplex
        Link Ups:       2        Last: Wed Apr 11 10:35:30 2018
        Link Downs:     1        Last: Wed Apr 11 10:35:16 2018
        VLAN cfg:
                 Name: ELRP-Ctrl, 802.1Q Tag = 3100, MAC-limit = No-limit, Virtual router:   VR-Default
                       Port-specific VLAN ID: 3100
                 Name: Hitchin_VC_1st, Internal Tag = 1002, MAC-limit = No-limit, Virtual router:   VR-Default
        STP cfg:
        Protocol:
                 Name: Hitchin_VC_1st Protocol: ANY      Match all protocols.
        Trunking:       Load sharing is not enabled.
        EDP:            Enabled
        EEE:            Disabled
        ELSM:           Disabled
        Ethernet OAM:           Disabled
        Learning:       Enabled
        Unicast Flooding:       Enabled
        Multicast Flooding:     Enabled
        Broadcast Flooding:     Enabled
        Jumbo:          Disabled
        Flow Control:   Rx-Pause: Disabled      Tx-Pause: Disabled
        Priority Flow Control: Disabled
        Reflective Relay:       Disabled
        Link up/down SNMP trap filter setting:          Disabled
        Egress Port Rate:       No-limit
        Broadcast Rate:         300 packets-per-second
        Multicast Rate:         No-limit
        Unknown Dest Mac Rate:  No-limit
        QoS Profile:    None configured
        Ingress Rate Shaping :          Unsupported
        Ingress IPTOS Examination:      Enabled
        Ingress 802.1p Examination:     Disabled
        Ingress 802.1p Inner Exam:      Disabled
        Ingress 802.1p Priority:        0
        Egress IPTOS Replacement:       Disabled
        Egress 802.1p Replacement:      Disabled
        NetLogin:                       Enabled
        NetLogin authentication mode:   MAC based
        NetLogin port mode:             Port based VLANs
        Smart redundancy:               Enabled
        Software redundant port:        Disabled
        IPFIX:   Disabled               Metering:  Ingress, All Packets, All Traffic
                IPv4 Flow Key Mask:     SIP: 255.255.255.255            DIP: 255.255.255.255
                IPv6 Flow Key Mask:     SIP: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
                                        DIP: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
        auto-polarity:                  Enabled
        Preferred medium:               Fiber
        Shared packet buffer:           default
        VMAN CEP egress filtering:      Disabled
        Isolation:                      Off
        PTP Configured:                 Disabled
        Time-Stamping Mode:             None
        Synchronous Ethernet:           Unsupported
        Dynamic VLAN Uplink:            Disabled
        VM Tracking Dynamic VLANs:      Disabled



Verbose logs from NAC:

2018-04-11 11:51:50,176 INFO [ESD] Enabling verbose diagnostics for MAC: 00-13-FA-0B-19-11 
2018-04-11 11:51:57,811 DEBUG [ESD] ESDMAC:0B-19-11 EndSystemActionRequestHandler - Processing action: (reauthentication) on end system: 00-13-FA-0B-19-11, IP: null, user: , reason: UserSpecified(USER_INITIATED_REAUTH), from appliance: false
2018-04-11 11:51:57,813 DEBUG [ESD] ESDMAC:0B-19-11 EndSystemActionRequestHandler - This NAC engine is the current appliance, so reauth.
2018-04-11 11:51:57,813 DEBUG [ESD] ESDMAC:0B-19-11 EndSystemActionRequestHandler - Reauthing end system: 00-13-FA-0B-19-11
2018-04-11 11:51:57,813 DEBUG [ESD] ESDMAC:0B-19-11 ReauthTask - Calculating if a re-authentication really needs to be performed for reason: USER_INITIATED_REAUTH.
2018-04-11 11:51:57,813 DEBUG [ESD] ESDMAC:0B-19-11 ReauthTask - The re-authentication request is being processed because the reauth reason: "USER_INITIATED_REAUTH" is not for a data change.
2018-04-11 11:51:57,814 DEBUG [ESD] ESDMAC:0B-19-11 ReauthTask - Re-authentication running for Switch: 10.255.5.13, Port : 1022, Port Name : 1:22, Port Alias: VC Reservered Ports, MAC: 00-13-FA-0B-19-11, Reason: USER_INITIATED_REAUTH
2018-04-11 11:51:57,814 INFO [ESD] ESDMAC:0B-19-11 ReauthSnmpTask - Executing Reauth for MAC: 00-13-FA-0B-19-11, IP: null for NAS switch 10.255.5.13 switchPort 1022 reason: USER_INITIATED_REAUTH all sessions
2018-04-11 11:51:57,814 DEBUG [ESD] ESDMAC:0B-19-11 ReauthSnmpTask - Not using toggle link for session: AUTH_MAC => Rejected: false shouldToggleLinkForRejectedEapTlsOnReauth: true ID: 2025282951
2018-04-11 11:51:57,814 INFO [ESD] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - Starting Extreme Reauthentication for MAC: 00-13-FA-0B-19-11 on switch: 10.255.5.13 and port: 1022
2018-04-11 11:51:57,814 DEBUG [ESD] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - *Not* using port initialization (Switch setting for: 1.3.6.1.4.1.1916.2.175 use initialize: false) & (Attributes to send: No Attributes use initialize: false)
2018-04-11 11:51:57,814 INFO [ESD] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - Reauthenticating using Dot1X Auth Reauthenticate for MAC: 00-13-FA-0B-19-11
2018-04-11 11:51:57,814 DEBUG [ESD] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - using OID: 1.0.8802.1.2.1.2.1.2.1.2.0.19.250.11.25.17
2018-04-11 11:51:58,062 DEBUG [ESD] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - Unable set dot1xAuthReauthenticate2(1.0.8802.1.2.1.2.1.2.1.2.0.19.250.11.25.17) from switch: 10.255.5.13, with error: Error writting to OID: "1.0.8802.1.2.1.2.1.2.1.2.0.19.250.11.25.17", with value: 1", with SNMP error: SNMP_ERROR_COMMIT_FAILED.
2018-04-11 11:51:58,062 DEBUG [ESD] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - Clearing of 802.1X sessions for entire port is *not* allowed, so skipping reauthenticating using dot1xPaePortReauth for switch port: 1022
2018-04-11 11:51:58,062 INFO [ESD] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - Reauthenticating using Extreme MAC Auth Client Reauthenticate OID for MAC: 00-13-FA-0B-19-11
2018-04-11 11:51:58,062 DEBUG [ESD] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - using OID: 1.3.6.1.4.1.1916.1.44.1.1.1.3.0.19.250.11.25.17
2018-04-11 11:51:58,240 DEBUG [ESD] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - Unable set OID: (1.3.6.1.4.1.1916.1.44.1.1.1.3.0.19.250.11.25.17) for switch: 10.255.5.13, with error: Error writting to OID: "1.3.6.1.4.1.1916.1.44.1.1.1.3.0.19.250.11.25.17", with value: 1", with SNMP error: SNMP_ERROR_NOT_WRITEABLE.
2018-04-11 11:51:58,240 DEBUG [ESD] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - *Not* falling back to toggle link because option is disabled.
2018-04-11 11:51:58,240 DEBUG [ESD] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - 802.1X Reauthentication was: *not* successful
2018-04-11 11:51:58,240 DEBUG [ESD] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - MAC Reauthentication was: *not* successful
2018-04-11 11:51:58,240 INFO [ESD] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - Reauthentication was: *not* successful
2018-04-11 11:51:58,240 DEBUG [ESD] ESDMAC:0B-19-11 ReauthTask - Re-authentication failed. Switch: 10.255.5.13, Port : 1022, Port Name : 1:22, Port Alias: VC Reservered Ports, MAC: 00-13-FA-0B-19-11, Reason: USER_INITIATED_REAUTH

The switch is a X440G1 running version 16.2.3.5 patch1-3

Thanks for any help in advance.
Photo of Martin Flammia

Martin Flammia

  • 6,326 Points 5k badge 2x thumb

Posted 6 months ago

  • 0
  • 2
Photo of Pawel Zwierzynski

Pawel Zwierzynski

  • 120 Points 100 badge 2x thumb
Hi
What kind of end system did you connect? I had these problem, just end system didn't generate any traffic.

Regards
Photo of Martin Flammia

Martin Flammia

  • 6,326 Points 5k badge 2x thumb
It is a Video Conferencing device. Could possibly be due to that, but the solution was previously working and additionally works at another site.

Nonetheless, you never know.... so a good call.

I'll post back the results. Thanks
Photo of Ahmed Haroun

Ahmed Haroun

  • 962 Points 500 badge 2x thumb
Hi,


if this is a silent device then you need to make sure of two things:

1- the vlan where the device should go must be added explicitly to the port before enabling netlogin.
2- this command looks missing from your config :
configure netlogin ports 22 allow egress-traffic all_cast
Photo of Martin Flammia

Martin Flammia

  • 6,326 Points 5k badge 2x thumb
Thanks for the information.

Adding a PC to the port seems to have triggered the RADIUS request, so the video conference unit is directly relational to the issue.

Adding the command:

configure netlogin ports 22 allow egress-traffic all_cast

Seems to have effected the port where the LEDs have stayed green, whereas before they would consistently switch between green and amber.... but the VC unit still isn't triggering the netlogin / RADIUS process.

Still experimenting at the moment so will post back if anything comes up. 
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,772 Points 10k badge 2x thumb
Can you trigger netlogin of the VC unit by pinging it? Allowing all_cast to egress the port should enable the ARP request to reach the VC unit, which can then answer. The answer should trigger netlogin.

Does the VC unit use DHCP, but the port/VLAN has spanning tree enabled without edge port configuration? It might not try DHCP often enough to trigger netlogin after STP puts the port into forwarding mode.