cancel
Showing results for 
Search instead for 
Did you mean: 

Netlogin MAC-based auth problems

Netlogin MAC-based auth problems

Ilya_Semenov
Contributor
Hello, everybody,

I've got a recommendation from Extreme's empoloyee (he is really expert!) to configure netlogin mac-based auth. (I need it to bring more data like Device Type and Operationg System from identity-management on Summits to Netsight. NAC is also involved).

He said:

"For MAC-auth your users does not need to enter anything at all – they just connecting to the network as usual and NAC automatically does the mac-auth (for visibility purpose only) . When you add “switch” into the NAC switch database , you can select “no attribute to send back” , in this case MAC-auth happens but no policy will be applied to the port , so clients connected as usual but NAC knows everything about the client and provide this details in NMS screens/reports."

How can I configure that "MAC-auth for visibility purpose only"? I've tried to do so many times and every time switch just blocks a port when I attach any device...

Please, help! Does somebody understand how exactly should I do configure mac-based netlogin auth on summit taking into the consideration the recommendation above?

Many thanks in advance,

Ilya

15 REPLIES 15

Erik_Auerswald
Contributor II
Hi Ilya,

to use NAC for increased visibility via MAC "authentication", you need to configure optional MAC authentication (netlogin) on the port with NAC as RADIUS server. Thus the switch will send the MAC address of a connected end system to NAC. With authentication optional, the end system will be allowed onto the network even if it is not (yet) known by NAC.

Erik

Karthik_Mohando
Extreme Employee
Ilya,

I guess you are almost there.
I could see that the AAA module do not have a Radius server configured for Netlogin.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Mac-based-Netlogin-with-R...

AAA configuration from the article.

Switch Radius configuration:
  • configure radius netlogin primary server client-ip
  • configure radius netlogin primary shared-secret
  • enable radius netlogin
Or have you already configured the Radius server ("show config aaa") ?

since you do not want any action taken by NAC you also need to add the port to intended VLAN (ISP mode).

I hope this helps...

Hi Ilya,

I meant the MAC-based auth using local-database case. You can also use MAC address prefix (i.e. particular MAC OUI) as below URL:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-Configure/?q=netlogin+oui&l=en_...

The mention you referred from other Extreme's employee is just about NAC and the view of client. MAC auth based on local-database is not also required anything to be entered by client.
Only difference is that the user is authenticated by where switch local (local-database) or NAC or RADIUS for the user's MAC address.

Hello, David,

thank you!

Do you mean that to make MAC-based auth feature work I should manually create MAC database of all devices which use the switch?

It condtradicts a bit with what other Extreme's employee said:

"For MAC-auth your users does not need to enter anything at all – they just connecting to the network as usual and NAC automatically does the mac-auth (for visibility purpose only)"

Thanks!
GTM-P2G8KFN