Netlogin unwanted MAC is authenticated locally

  • 0
  • 2
  • Question
  • Updated 1 year ago
  • Answered
  • (Edited)
Hi,

I'm a little bit confused:
We are using netlogin for a year and it's working like you would expect it:
A unknown MAC address shows up on the switch, is getting blocked and reported in EMS.

But now, I have a unwanted MAC address, which is authenticated locally, but is reported as rejected in EMS - but the switch authenticates the user and assign to the granted VLAN.

Here is the netlogin config:
#
# Module netLogin configuration.
#
configure netlogin vlan AUTH
enable netlogin mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
configure netlogin mac timers reauth-period 7200
enable netlogin ports 1:10-48,2:10-2:48 mac
configure netlogin ports 1:10-48,2:10-2:48 mode mac-based-vlans
configure netlogin ports 1:10-48,2:10-2:48 no-restart
enable netlogin authentication service-unavailable vlan ports 1:10-48,2:10-2:48
configure netlogin authentication service-unavailable vlan office ports 1:10-48,2:10-2:48
Radius is working, the switch is a X450e-48p (stacked) with EXOS 15.3.2.11

I'm happy for feedback

Best Regards
Chacko
Photo of Chacko

Chacko

  • 1,206 Points 1k badge 2x thumb

Posted 1 year ago

  • 0
  • 2
Photo of Karthik Mohandoss

Karthik Mohandoss, Employee

  • 6,058 Points 5k badge 2x thumb
Hi Chacko,

Can you post the "show netlogin port <port#> and "show log" which has the login success message? 
Photo of Chacko

Chacko

  • 1,206 Points 1k badge 2x thumb
Hi Karthik,

here is the output:
# sh netlogin port 2:20
Port : 2:20
Port Restart : Disabled
Allow Egress : None
Vlan : AUTH
Authentication : mac-based
Port State : Enabled
Guest Vlan : Disabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Enabled
MAC IP address Authenticated Type ReAuth-Timer User
-----------------------------------------------
(B) - Client entry Blackholed in FDB
Port : 2:20
Port Restart : Disabled
Allow Egress : None
Vlan : office
Authentication : mac-based
Port State : Enabled
Guest Vlan : Disabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Enabled
MAC IP address Authenticated Type ReAuth-Timer User
10:4f:a8:XX:XX:XX 0.0.0.0 Yes, Locally MAC 7197 104FA8XXXXXX
-----------------------------------------------
(B) - Client entry Blackholed in FDB 

And the log
 <Info:nl.ClientAuthenticated> Network Login MAC user 104FA8XXXXXX logged in MAC 10:4F:A8:XX:XX:XX port 2:20 VLAN(s) "office", authentication Locally
<Info:vlan.msgs.portLinkStateUp> Port 2:20 link UP at speed 100 Mbps and full-duplex
Photo of Karthik Mohandoss

Karthik Mohandoss, Employee

  • 6,058 Points 5k badge 2x thumb
Chacko,

Is it possible to post the screenshot of the rejection message in the EMS?

Can you check if this MAC address is not present as local user in the switch itself? 
The command is "show netlogin local-users" 

In case if you have a radius server configured can you pose the "show config aaa" and does the radius request passed before the switch decided to do a local authentication? you can see this from the "show log" in case if the radius requests are failing 
Photo of Chacko

Chacko

  • 1,206 Points 1k badge 2x thumb
Hi,

sorry, I misspelled it - I meant EMC (management center):


First line is the configuration for our NAC appliances, so that policy is underneath the "allow if MAC and end-system group xxx"-policies.
Second line is the output in access control -> rejected end systems.

Radius is properly configured, the priority is default (radius, local), the local MAC users are empty.

There are no other log-entries related to authentication as soon as the ports comes up.
All the other netlogin devices are working fine on that switch and I can say to 100%, that the MAC address is not known in our Access Control database (first I built a script for checking it, and second, the right policy is chosen, so the MAC cannot be inside our end-system groups.

BR
Chacko
Photo of Karthik Mohandoss

Karthik Mohandoss, Employee

  • 6,058 Points 5k badge 2x thumb
Hi Chacko,

If the MAC is authenticated by EMC then we will see a different log message but by looking at the log message which you have shared the authentication has been processed locally by the switch

<Info:nl.ClientAuthenticated> Network Login MAC user 104FA8XXXXXX logged in MAC 10:4F:A8:XX:XX:XX port 2:20 VLAN(s) "office", authentication Locally  


I wanted to check if the local user database has this mac address or not and that can be checked using the command "show netlogin local-users" in the switch. 
Photo of Chacko

Chacko

  • 1,206 Points 1k badge 2x thumb
Hi,

okay, I can follow you: 
Here is the output;
Slot-1 sw # sh netlogin local-users
Netlogin Local User Name  Extended-VLAN VSA              Security Profile
------------------------  -----------------------------  ----------------------
Slot-1 sw #
So the local database is empty.

BR
Chacko
Photo of Karthik Mohandoss

Karthik Mohandoss, Employee

  • 6,058 Points 5k badge 2x thumb
Hi Chacko,

I would request you to pursue this issue with GTAC case as this needs further investigation.
15.3 version has already reached end of engineering hence it would be best to upgrade to the latest patch in 15.3 (15.3.5.2-patch1-14) and check if the issue is getting resolved before opening up the ticket. 
Photo of Chacko

Chacko

  • 1,206 Points 1k badge 2x thumb
Hi Karthik,

I updated the switch over night and so far, the problem hasn't occured again.
I hope there is no general netlogin problem in this software release - but the summit *50 will be out of contract next year anyway.

Thanks for your help

Best Regards
Chacko
Photo of Karthik Mohandoss

Karthik Mohandoss, Employee

  • 6,058 Points 5k badge 2x thumb
Hi Chacko,

Thanks for getting back on this, good to see that the issue is not seen. 
Photo of Chacko

Chacko

  • 1,206 Points 1k badge 2x thumb
Okay, I revoke the last one.
The issue is still active, even with 15.3.5.2-patch1-14.

I will open up a GTAC case with our external partner

BR
Chacko