Strange Netlogin behaviour

  • 0
  • 1
  • Problem
  • Updated 4 years ago
I have configured bot dot1x and mac auth on the same port with dynamic vlan.
dot1x for PC and notebook
mac for telephone and printers

What I have seen is that just after the ports became active the switch starts mac auth instead of wait for eapol start  from the client:
09/30/2014 15:43:21.94 <Info:nl.ClientAuthenticated> Slot-1: Network Login 802.1x user host/DA17190.ita.rsa-ins.com logged in MAC A4:5D:36:D1:54:1C port 3:15 VLAN(s) "PP_4P", authentication Radius
09/30/2014 15:43:21.68 <Info:nl.ClientAuthenticated> Slot-1: Network Login MAC user A45D36D1541C logged in MAC A4:5D:36:D1:54:1C port 3:15 VLAN(s) "Ospite", authentication Radius
09/30/2014 15:43:21.42 <Info:vlan.msgs.portLinkStateUp> Slot-1: Port 3:15 link UP at speed 100 Mbps and full-duplex

After some second, when it receive the eapol start it restart a new authentication process for the same mac address.

The results is that client is first moved in guest vlan (where it gets an ip address from dhcp server) and then in client vlan.



This is my netlogin conf:
configure netlogin vlan TEMP
enable netlogin dot1x mac
configure netlogin agingtime 120
configure netlogin dynamic-vlan enable
configure netlogin dynamic-vlan uplink-ports 1:49
configure netlogin mac authentication database-order local radius
enable netlogin ports 1:1-48, 2:1-7, 2:9-17, 2:19-48, 3:1-12, 3:14-48, 4:1-48, 5:1-44, 5:46-50 dot1x
enable netlogin ports 1:1-48, 2:1-7, 2:9-17, 2:19-48, 3:1-12, 3:14-48, 4:1-48, 5:1-44, 5:46-50 mac
configure netlogin ports 1:1 mode port-based-vlans
configure netlogin ports 1:1 no-restart
.....
configure netlogin add mac-list 00:00:aa:fa:29:85 48 encrypted "=421BFAB3&lt;44"
...
configure netlogin add mac-list 00:90:1e:90:00:e1 48 encrypted "=4;12B&gt;315I0"
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
configure netlogin dot1x timers server-timeout 10
configure netlogin dot1x timers reauth-period 0
configure netlogin dot1x timers supp-resp-timeout 10
enable netlogin authentication service-unavailable vlan ports 1:1-48, 2:1-48, 3:1-48, 4:1-48, 5:1-50
configure netlogin authentication service-unavailable vlan Ospite ports 1:1-2, 1:4-8, 1:10-14, 1:16-48, 2:1-7, 2:10-17, 2:19-48, 3:1-12, 3:14-48, 4:1-28, 4:30-31, 4:33-48, 5:1-50


In my opinion this is un uncorret behaviour because mac auth should happens only when the client has'nt or has not configured a 802.1x supplicant.
Photo of Luca Messori

Luca Messori

  • 210 Points 100 badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of PARTHIBAN CHINNAYA

PARTHIBAN CHINNAYA, Alum

  • 4,362 Points 4k badge 2x thumb
This looks to me a known issue
What is the exos version . Did you check with a different exos
Photo of Luca Messori

Luca Messori

  • 210 Points 100 badge 2x thumb
I have done test with firmware 15.1.3 and 15.3.4.6-patch5 but I have the same results.
I have seen SR number 4-4576621665.

I think that there are two problems:
- the switch is not honoring the 30 second timeout period before mac auth
- the client sends the dhcp request immediately (before it is moved to its vlan)

I would like to resolve the first one problem.
In SR number 4-4576621665 there is this annotation:
"Resolved via 01033072"
What is 01033072?

Regards