NETLogin failure vlan+ Help required

  • 0
  • 1
  • Question
  • Updated 5 years ago
Create Date: Jul 5 2013 11:45AM

HI Guys,

 I have been working on configuring Netlogin at our network.  I have been successful so far for Pcs, apple Macs, phones and APs etc. but now I would like to setup a failure Vlan for the un-authenticated users. so once an untrusted device is connected and authentication fails they are dropped into  a guest vlan?

Do you know what commands and steps I need to achieve that including any steps I need to take on the server as I am using Microsoft AD and NPS.

This is my third post as last two were un answered, I am hoping to receive a quick response on this one.

your help will be highly appreciated.


 Many thanks,


Qasim

(from qasim_khan)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb

Posted 5 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Jul 5 2013 7:31PM

hey qasim02

Here are some things that might help.  First understand that the guest VLAN is not used for users that fail authentication but for users who do not have 802.1X installed  Note: The supplicant does not move to a guest VLAN if it fails authentication after an 802.1x
exchange; the supplicant moves to the guest VLAN only if it does not respond to an 802.1x
authentication request

Keep in mind the following guidelines when configuring guest VLANs:

You must create a VLAN and configure it as a guest VLAN before enabling the guest VLAN feature.
• Configure guest VLANs only on network login ports with 802.1x enabled .
• Movement to guest VLANs is not supported on network login ports with MAC-based or web-based
authentication.
• 802.1x must be the only authentication method enabled on the port for movement to guest VLAN.
• No supplicant on the port has 802.1x capability.
Create Guest VLANs
If you configure a guest VLAN, and a supplicant has 802.1x disabled and does not respond to 802.1x
authentication requests from the switch, the supplicant moves to the guest VLAN. Upon entering the
guest VLAN, the supplicant gains limited network access

To create a guest VLAN, use the following command:
configure netlogin dot1x guest-vlan <vlan_name> {ports <port_list>}

Enable Guest VLANs
To enable the guest VLAN, use the following command:
enable netlogin dot1x guest-vlan ports [all | <ports>]

Hope this helps
P
(from Paul_Russo)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Jul 9 2013 3:03PM

Hi Prusso,

As Always it was very helpful and I really appreciate this. However, this netlogin failure vlan is already configured at one of this Network sites, and the configuration is as follows:
configure netlogin vlan LoginVLAN
enable netlogin dot1x mac
configure netlogin mac authentication database-order radius
enable netlogin ports 1:1-48, 2:1-48, 3:1-48, 4:1-48, 5:1-42, 5:45-48 dot1x
enable netlogin ports 1:1-48, 2:1-48, 3:1-48, 4:1-48, 5:1-42, 5:45-48 mac
configure netlogin ports 1:1 mode port-based-vlans(this command is applied to every port)
configure netlogin ports 1:1 no-restart(this command is applied to every port)
enable netlogin authentication failure vlan ports 1:1-48, 2:1-48, 3:1-48, 4:1-48, 5:1-48
configure netlogin authentication failure vlan GuestLAN ports 1:1-48, 2:1-48, 3:1-48, 4:1-48, 5:1-42, 5:45-48

and this works for that part of the network. but when I use the same commands on a different site of this network it dont work. the ports just stay in the netlogin   and wont move to the GuestLAN. and just to troubleshoot this I statically assigned a user to the guestLAN vlan and it works as the user get limited connectivity.  Aside from this, everything else is working fine.

Look forward to hearing form you soon.


Many thanks,
(from qasim_khan)

This conversation is no longer open for comments or replies.