netlogin - "Default" VLAN

  • 0
  • 1
  • Question
  • Updated 5 years ago
  • Answered
Create Date: Feb 29 2012 6:02AM

Hi, I come from CISCO world. For our customer I need to configure 802.1x netlogin on their "Default" VLAN. They use this default VLAN for several years. It ́s a BD8810 switch with XOS 12.5.1.6.

When I want to use commands from Concept guide and use a example for enable netlogin, the switch write back: ERROR: No ports should be assigned to the NetLogin VLAN.

For command: enable netlogin dot1x, it write back: ERROR: No NetLogin VLAN is configured. Configuration failed on backup MSM, command execution aborted!

Is it possible to use 802.1x authentication on "default VLAN"

thanks for any reply



(from Ondrej_Cerveny)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb

Posted 5 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 7 2012 2:04AM

Hi,

i think you must create a separate vlan for netlogin. This vlan is a temporary vlan for unauthenticated clients. Don ́t move ports to this vlan.
e.g.:
create vlan no_auth_test
conf netlogin vlan no_auth_test
enable netlogin dot1x
en netlogin ports 1:1-48 dot1x
...
Try it.
(from matthias_mager)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 9 2012 5:55AM

Hi, thanks for reply.

I tried this, but in this case I need to route traffic between VLANs and for traffic is needed ipforwarding, but with ipforwarding I couldn ́t use network login. Netowrk login is available only on VLAN without ipforwarding.

Any idea?

Thanks Andrew

(from Ondrej_Cerveny)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 9 2012 8:01AM

Andrew,

The netlogin VLAN is used as a landing spot for devices while they are going through the netlogin process. You are correct that it cannot be used for routing, but no device will spend much time in it if you have configured netlogin completely. The device, and therefore the user, will be moved to a routable VLAN after authentication. There are two modes of Netlogin operation, ISP and Campus. Each mode handles the user VLAN differently.

In ISP mode, you add the destination VLAN to the ports before enabling Netlogin. When authentication is successful, the switch will open up the port for that MAC to access the VLAN.

In Campus mode, you can tell the switch which VLAN to move the device to upon completion of the login process. You can use a local authentication database in the switch or a RADIUS server or a combination of the two. The VLAN must exist on the switch, btw. If you are using a local database on the switch, you use the key "vlan-vsa" at the end of the "netlogin local-user" command to specify the VLAN name. You can also specify whether the VLAN should be .1q tagged or not. The default is untagged. If you are using a RADIUS server, you need to add the Extreme Networks VSA definitions and values. FreeRADIUS stores the definitions in the "dictionary" file and the attributes in the "users" file. Tagging is also supported through this method. Here's an example of setting up a local user on the switch.

create netlogin local-user "Jim" 12345 vlan-vsa "data"

Here's an example of the entry in the users file for user "Jim".

Jim Auth-Type := EAP, User-Password == "12345"
Session-Timeout = 60,
Termination-Action = 1,
Extreme-Netlogin-Vlan = voice-vlan

All of the VSA's can be found in the Concepts Guide. I found them on page 875 of the 12.6 guide.

Regards, Scott

(from Scott_Singer)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 11 2012 11:30PM

Hi Scott, I use Concept guide 12.1. I would like to use ISP mode. The ports will be in the VLAN for autentication and nothing else. I prepared RADIUS server for wired authentication.

When I set netlogin on my VLAN (configure netlogin vlan “LAN_AUTH”, enable netlogin dot1x, enable netlogin ports 10:15 dot1x) (I can set it), then I would like to connect notebook to this port, lease DHCP addres and forward traffic on this BD8810 to another VLAN (production network). So I would like to route traffic od this switch, but when I set netlogin, the ipforwarding proces stop and I cannot route the traffic to another VLAN. If I use a command for enabel ipforwarding (enable ipforwarding VLAN LAN_AUTH) the cli return back this: Configuration failed on backup MSM, command execution aborted!.

Is it normal? Or is it some bug or feature of this switch. From CISCO world It look like some mistake. On CISCO switch I could route and make port based authentication in same time.

It could be some unclarity of my idea process.

I have switch: BlackDiamond 8810 with SW: ExtremeXOS version 12.5.1.6

Thank for reply,

Andrew



(from Ondrej_Cerveny)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 12 2012 6:13AM

Hi Andrew,

the statement that the "authentication vlan cannot work on Layer 3" ist right(-->

<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:HyphenationZone>21</w:HyphenationZone>
<w:PunctuationKerning />
<w:ValidateAgainstSchemas />
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:Compatibility>
<w:BreakWrappedTables />
<w:SnapToGridInCell />
<w:WrapTextWithPunct />
<w:UseAsianBreakRules />
<w:DontGrowAutofit />
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" LatentStyleCount="156">
</w:LatentStyles>
</xml><![endif]-->
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
@page Section1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Normale Tabelle";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
</style>
<![endif]-->



* Testswitch.8 # en ipforwarding "NO_AUTH_LA"

Error: VLAN NO_AUTH_LA is enabled for NetLogIn!). In my lab i ́m using a Summit X450e-24p with EXOS version 12.6.1.3. This Switch works at layer 2. The routing is done by a BD8806 with EXOS version 12.4.5.3 patch 1-5. In the lab i use a RADIUS server for wired authentication, too. On the netlogin port i have a two devices, one ip-phone and behind this a notebook. My netlogin scenario (mac based) is working. I can reach all network resources.



--> * Testswitch.15 # sh netlogin por 16
Port : 16
Port Restart : Disabled
Allow Egress : Broadcast, Unicast
Vlan : Muc_PC
Authentication : mac-based
Port State : Enabled
Guest Vlan : Disabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Disabled

MAC IP address Authenticated Type ReAuth-Timer User
00:08:5d:29:cf:18 0.0.0.0 Yes, Radius MAC 0 00085D29CF18
-----------------------------------------------
(B) - Client entry Blackholed in FDB

Port : 16
Port Restart : Disabled
Allow Egress : Broadcast, Unicast
Vlan : Muc_Tel
Authentication : mac-based
Port State : Enabled
Guest Vlan : Disabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Disabled

MAC IP address Authenticated Type ReAuth-Timer User
00:08:5d:29:cf:18 0.0.0.0 Yes, Radius MAC 0 00085D29CF18
-----------------------------------------------
(B) - Client entry Blackholed in FDB

* Testswitch.9 # sh netlogin

NetLogin Authentication Mode : web-based DISABLED; 802.1x ENABLED; mac-based ENABLED
NetLogin VLAN : "NO_AUTH_LA"
NetLogin move-fail-action : Deny
NetLogin Client Aging Time : 5 minutes
Dynamic VLAN Creation : Disabled
Dynamic VLAN Uplink Ports : None





Regards

Matthias



(from matthias_mager)

This conversation is no longer open for comments or replies.