Problem: Netlogin and APs, cameras, printers: devices don't work on port

  • 0
  • 1
  • Problem
  • Updated 7 months ago
  • Not a Problem
Hello, team,

I've enabled netlogin on summits and it gives me all data I need. But there is a trouble has appeared. On ports where APs, Printers, cameras connected and netlogin is enabled these devices became inaccessible.

What is a reason for such behaviour?

May be there is a magic checkbox in NAC which will solve my problem? 


Here is my config on switches:


configure radius netlogin primary server 192.168.128.160 1812 client-ip 192.168.21.185 vr VR-Default
configure radius netlogin primary shared-secret encrypted "***"
configure radius netlogin secondary server 192.168.128.162 1812 client-ip 192.168.21.185 vr VR-Default
configure radius netlogin secondary shared-secret encrypted "***"
configure radius-accounting netlogin primary server 192.168.128.160 1813 client-ip 192.168.21.185 vr VR-Default
configure radius-accounting netlogin primary shared-secret encrypted "***"
configure radius-accounting netlogin secondary server 192.168.128.162 1813 client-ip 192.168.21.185 vr VR-Default
configure radius-accounting netlogin secondary shared-secret encrypted "***"
enable radius
disable radius mgmt-access
enable radius netlogin
configure radius timeout 15
configure radius mgmt-access timeout 15
configure radius netlogin timeout 15
enable radius-accounting
disable radius-accounting mgmt-access
enable radius-accounting netlogin


Many thanks in advance,
Ilya
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb

Posted 7 months ago

  • 0
  • 1
Photo of Claudio D'Ascenzo

Claudio D'Ascenzo

  • 422 Points 250 badge 2x thumb
Hi Ilya I don't see in your configuration on what ports is authentication applied.

I use the configuration belowe to apply MAC authentication on some ports

configure netlogin move-fail-action authenticate
configure netlogin vlan AUTH
###enable netlogin dot1x mac
enable netlogin mac
configure netlogin agingtime 1
###configure netlogin dynamic-vlan enable
###enable netlogin ports 1:1-x dot1x
enable netlogin ports 31-32 mac
configure netlogin ports 31-32 mode port-based-vlans
configure netlogin ports 31-32 no-restart
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 ports 31-32
###configure netlogin dot1x timers reauth-period 7200
enable netlogin authentication failure vlan ports 31-32
enable netlogin authentication service-unavailable vlan ports 31-32
disable netlogin logout-privilege
disable netlogin session-refresh
disable netlogin redirect-page

###VLAN to active in case Nac GW fault
Create Vlan Guest tag 91
configure netlogin authentication failure vlan Guest ports 31-32
configure netlogin authentication service-unavailable vlan Guest ports 31-32

the commands with ### is not used, hope this could help you.

Ciao CLaudio
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Hello, Claudio,

I don't see solution for my problem in your message, sorry.

My configuration is applied to all ports, except trunks. After that I manually exclude AP, printers and cameras ports.