Netlogin MAC-based auth problems

  • 0
  • 1
  • Problem
  • Updated 1 year ago
  • Solved
Hello, everybody,

I've got a recommendation from Extreme's empoloyee (he is really expert!) to configure netlogin mac-based auth. (I need it to bring more data like Device Type and Operationg System from identity-management on Summits to Netsight. NAC is also involved).

He said:

"For MAC-auth your users does not need to enter anything at all – they just connecting to the network as usual and NAC automatically does the mac-auth (for visibility purpose only) . When you add “switch” into the NAC switch database , you can select “no attribute to send back” , in this case MAC-auth happens but no policy will be applied to the port , so clients connected as usual but NAC knows everything about the client and provide this details in NMS screens/reports."

How can I configure that "MAC-auth for visibility purpose only"? I've tried to do so many times and every time switch just blocks a port when I attach any device...

Please, help! Does somebody understand how exactly should I do configure mac-based netlogin auth on summit taking into the consideration the recommendation above?

Many thanks in advance,

Ilya
Photo of Ilya Semenov

Ilya Semenov

  • 4,384 Points 4k badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
Please post your current switch configuration.
Photo of Ilya Semenov

Ilya Semenov

  • 4,350 Points 4k badge 2x thumb
Hello, Matthew,

thanks, here it is (below). In such configuration the device works fine. There isn't anything related to netlogin mac-based auth now (I removed it).

X430-48t.3 # show configuration
#
# Module devmgr configuration.
#
configure snmp sysContact "support@extremenetworks.com, +1 888 257 3000"
configure sys-recovery-level switch reset

#
# Module vlan configuration.
#
configure vlan default delete ports all
configure vr VR-Default delete ports 1-52
configure vr VR-Default add ports 1-52
configure vlan default delete ports 8,13,48,50
enable jumbo-frame ports all
create vlan "VLAN10"
configure vlan VLAN10 tag 10
create vlan "VLAN1024"
create vlan "VLAN1025"
create vlan "vlan3139"
configure vlan vlan3139 tag 3139
enable sharing 46 grouping 46,48 algorithm address-based L3 lacp
configure vlan Default add ports 1-7,9-12,14-47,49,51-52 untagged
configure vlan VLAN10 add ports 44,49 tagged
configure vlan vlan3139 add ports 49 tagged
configure vlan vlan3139 add ports 8,13 untagged
configure vlan Default ipaddress 192.168.13.5 255.255.254.0
configure vlan VLAN10 ipaddress 10.10.10.55 255.255.255.0

#
# Module fdb configuration.
#

#
# Module rtmgr configuration.
#
configure iproute add default 192.168.13.3

#
# Module mcmgr configuration.
#
configure forwarding ipmc lookup-key mac-vlan

#
# Module aaa configuration.
#
configure account admin encrypted "$5$uni7jv$Dr65.wIgsf7XteqWQtqJrhwYtDzB0lsiHNn

#
# Module acl configuration.
#




#
# Module cfgmgr configuration.
#
enable cli-config-logging

#
# Module dosprotect configuration.
#

#
# Module dot1ag configuration.
#

#
# Module eaps configuration.
#

#
# Module edp configuration.
#

#
# Module elrp configuration.
#

#
# Module ems configuration.
#
configure syslog add 192.168.13.246:514 vr VR-Mgmt local7
enable log target syslog 192.168.13.246:514 vr VR-Mgmt local7
configure log target syslog 192.168.13.246:514 vr VR-Mgmt local7 filter DefaultF
configure log target syslog 192.168.13.246:514 vr VR-Mgmt local7 match Any
configure log target syslog 192.168.13.246:514 vr VR-Mgmt local7 format timestam
configure syslog add 192.168.13.246:514 vr VR-Default local0
enable log target syslog 192.168.13.246:514 vr VR-Default local0
configure log target syslog 192.168.13.246:514 vr VR-Default local0 filter Defau
configure log target syslog 192.168.13.246:514 vr VR-Default local0 match Any
configure log target syslog 192.168.13.246:514 vr VR-Default local0 format times

#
# Module epm configuration.
#

#
# Module erps configuration.
#

#
# Module esrp configuration.
#

#
# Module etmon configuration.
#

#
# Module exsshd configuration.
#
enable ssh2

#
# Module hal configuration.
#

#
# Module idMgr configuration.
#
enable identity-management
configure identity-management add ports 1-48,50-52
configure identity-management kerberos snooping add server 192.168.13.20
configure identity-management kerberos snooping add server 192.168.13.51

#
# Module ipSecurity configuration.
#
enable ip-security dhcp-snooping vlan Default port 1-52 violation-action none

#
# Module lacp configuration.
#

#
# Module lldp configuration.
#

#
# Module mrp configuration.
#

#
# Module netLogin configuration.
#

#
# Module netTools configuration.
#
configure dns-client add name-server 192.168.13.20 vr VR-Default
configure bootprelay add 192.168.13.251 vr VR-Default
enable bootprelay ipv4 vlan Default
configure bootprelay vlan Default add 192.168.13.251

#
# Module poe configuration.
#

#
# Module snmpMaster configuration.
#
configure snmpv3 add user "user" engine-id 80:00:07:7c:03:00:04:96:98:0e:bc autha:23:da:23:d7:23:e8:3f:23:d8:21:23:c7:5c:23:95:39 privacy privacy-encrypted loca:c7:5c:23:95:39
configure snmpv3 add user "snmpuser" engine-id 80:00:07:7c:03:00:04:96:98:0e:bc 23:de:79:57:23:de:6d:24:23:7d:23:b1 privacy privacy-encrypted localized-key 75:2
configure snmpv3 add group "NAC" user "snmpuser" sec-model usm
configure snmpv3 add access "NAC" sec-model usm sec-level priv read-view "intern
configure snmpv3 add mib-view "internet" subtree 1.0/80 type included
configure snmpv3 add target-addr "informtarget" param "informparam" ipaddress 19
configure snmpv3 add target-params "informparam" user "user" mp-model snmpv3 sec
configure snmpv3 add notify "defaultinform" tag "defaultinform" type inform

#
# Module stp configuration.
#

#
# Module techSupport configuration.
#
enable tech-support collector

#
# Module telnetd configuration.
#

#
# Module thttpd configuration.
#
configure ssl certificate hash-algorithm sha512

#
# Module xmlc configuration.
#
create xml-notification target netsight_192.168.13.248 url https://192.168.13.24
configure xml-notification target netsight_192.168.13.248 user ssadmin encrypted
configure xml-notification target netsight_192.168.13.248 from 192.168.13.5
enable xml-notification netsight_192.168.13.248
configure xml-notification target netsight_192.168.13.248 add idMgr
X430-48t.4 #
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
Maybe you need to set netlogin auth optional instead of required.


configure netlogin port 1:36 authentication mode optional
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
can you run

show netlogin session port...

The command is similar to that but will show the status of the device.
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
Photo of Ilya Semenov

Ilya Semenov

  • 4,384 Points 4k badge 2x thumb
Hello, Jeremy,

I have not such commands in 16.1.2.14 on X430:

X430-48t.10 # configure netlogin port 17 ?
  allow           Allow traffic, even when not authenticated
  mode            Configure port operation mode
  no-restart      Do not restart the port when all clients unauthenticate
  restart         Restart the port when all clients unauthenticate
* X430-48t.10 # configure netlogin port 17

Is this an equal - configure netlogin port 17 allow egress-traffic all_cast ?
Photo of Ilya Semenov

Ilya Semenov

  • 4,384 Points 4k badge 2x thumb
I have some config changes now:

create vlan "NTLG"

# Module netLogin configuration.
#
configure netlogin move-fail-action authenticate
configure netlogin vlan NTLG
enable netlogin mac
enable netlogin ports 17 mac
configure netlogin ports 17 mode mac-based-vlans
configure netlogin ports 17 no-restart
configure netlogin ports 17 allow egress-traffic all_cast

After these changes I got to log:

05/27/2017 13:04:31.17 <Info:nl.ClientAuthFailure> Authentication failed for Network Login MAC user F4:6D:04:1B:D0:9B Mac F4:6D:04:1B:D0:9B port 17
05/27/2017 13:04:31.17 <Erro:nl.mac.MacListEmpty> Mac authentication was initiated, but mac-list for virtual router VR-Default is empty

Should I add all ports to NTLG vlan as tagged?
Photo of Ilya Semenov

Ilya Semenov

  • 4,384 Points 4k badge 2x thumb
The final changes:

# Module netLogin configuration.
#
configure netlogin move-fail-action authenticate
configure netlogin vlan NTLG
enable netlogin mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 ports 17
enable netlogin ports 17 mac
configure netlogin ports 17 mode mac-based-vlans
configure netlogin ports 17 no-restart
configure netlogin ports 17 allow egress-traffic all_cast
* X430-48t.41 #

The message about MacListEmpty is gone, but it's stll:

05/27/2017 13:11:16.16 <Info:nl.ClientAuthFailure> Authentication failed for Network Login MAC user F46D041BD09B Mac F4:6D:04:1B:D0:9B port 17

But it seems like the port isn't blocked now (I am out of the office and try remotely)
Photo of Karthik Mohandoss

Karthik Mohandoss, Employee

  • 5,514 Points 5k badge 2x thumb
Ilya,

I guess you are almost there.
I could see that the AAA module do not have a Radius server configured for Netlogin.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Mac-based-Netlogin-with-R...

AAA configuration from the article. 

Switch Radius configuration:
  • configure radius netlogin primary server <radius server IP> client-ip <source IP for radius request from switch>
  • configure radius netlogin primary shared-secret <secret>
  • enable radius netlogin
Or have you already configured the Radius server ("show config aaa") ?

since you do not want any action taken by NAC you also need to add the port to intended VLAN (ISP mode).

I hope this helps...
Photo of Ilya Semenov

Ilya Semenov

  • 4,384 Points 4k badge 2x thumb
Hello, Karthik,

thanks for your reply. I haven't RADIUS configured yet. Is it really required? Could it be local authentication?

Could you please explain this in more details - "since you do not want any action taken by NAC you also need to add the port to intended VLAN (ISP mode)." - what do you mean?

Many thanks in advance,

Ilya
Photo of David Choi

David Choi, Employee

  • 1,966 Points 1k badge 2x thumb
Hi Ilya,

Local database can also be used for MAC authentication without Radius server. In the case of using local database of switch, you need following configurations:

configure netlogin mac authentication database-order local
create netlogin local-user "<Capital MAC address>" "<password also Capital MAC addr>"

ex> create netlogin local-user "507B9DD58ECE" "507B9DD58ECE"

You have configured "NTLG" VLAN as netlogin VLAN and it means that NTLG VLAN will be used for unauthenticated clients. You need to assign a VLAN to be used for MAC authenticated clients via one of either two ways in below:
(Let say the MAC authenticated clients should be assigned into VLAN3139)

i. Pre-configure the VLAN on the port 17

configure vlan VLAN3139 add port 17

Port 17 will be assigned to VLAN3139 after MAC authentication.


ii. Use VLAN-VSA

configure netlogin local-user "<MAC address> vlan-vsa [tagged | untagged] VLAN3139

Since you configured port mode as "mac-based-vlan" (not port-based-vlan), I think that using VLAN-VSA would be proper way for the mode.

I hope this helps...
(Edited)
Photo of Ilya Semenov

Ilya Semenov

  • 4,384 Points 4k badge 2x thumb
Hello, David,

thank you!

Do you mean that to make MAC-based auth feature work I should manually create MAC database of all devices which use the switch?

It condtradicts a bit with what other Extreme's employee said:

"For MAC-auth your users does not need to enter anything at all – they just connecting to the network as usual and NAC automatically does the mac-auth (for visibility purpose only)"

Thanks!
Photo of David Choi

David Choi, Employee

  • 1,966 Points 1k badge 2x thumb
Hi Ilya,

I meant the MAC-based auth using local-database case. You can also use MAC address prefix (i.e. particular MAC OUI) as below URL:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-Configure/?q=netlogin+oui&l=en_...

The mention you referred from other Extreme's employee is just about NAC and the view of client. MAC auth based on local-database is not also required anything to be entered by client.
Only difference is that the user is authenticated by where switch local (local-database) or NAC or RADIUS for the user's MAC address.
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,782 Points 10k badge 2x thumb
Hi Ilya,

to use NAC for increased visibility via MAC "authentication", you need to configure optional MAC authentication (netlogin) on the port with NAC as RADIUS server. Thus the switch will send the MAC address of a connected end system to NAC. With authentication optional, the end system will be allowed onto the network even if it is not (yet) known by NAC.

Erik