XOS: netlogin on sharing ports

  • 0
  • 1
  • Question
  • Updated 6 months ago
  • Answered
Hi extreme-networks folks,

i want to get some ideas and statements regarding the need of the following feature:

"netlogin on sharing ports"

currently this is not possible (on XOS, EOS support that)!

To attach a server redundant to a switch i use sharing. To authenticate and for documentation issues i use Authentication (netlogin). So from my point of view is very clear to use both feature on the same port. But currently this is not possible.

What do you think about that ?
Photo of M.Nees

M.Nees, Embassador

  • 9,168 Points 5k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of M.Nees

M.Nees, Embassador

  • 9,168 Points 5k badge 2x thumb
No other opinion? Nobody who agree with me that this is useful ?
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Matthias,

Network login is a security feature thought to secure access to the network from ports accessible to normal employees and visitors, to make sure nobody can gain access to the network by simply plugging a device in an empty port.

Servers, on the other hand, tend to be grouped in protected environments (datacenters) with ports not available to visitors or normal employees. Datacenters have their own security measures that don't include networks login.

I imagine that network login would be disruptive in the current virtualized datacenter, where VMs can be moved from one physical server/network port to another without the VM knowing it is being moved. Because of this, the datacenter network has to include tools (e.g. Data Center Manager) to make sure that the destination port has the same configuration as the original port. If the VM is unaware of it being moved to a new port, how would it re-negotiate access through Network Login?

I don't know how easy/difficult it is to enable this, but you can always work with GTAC and your local SE to make a feature request.
Photo of M.Nees

M.Nees, Embassador

  • 9,168 Points 5k badge 2x thumb
Hi Daniel,
we are using authentication not only for security reasons mostly the visibility effect is more important!

Visibility means that through RADIUS Authentication i know immediately (Netsight DB) where which device (server and any other system) is connected. From that point of view it will be very useful that netlogin and sharing will not exclude each other.

But it seems that nor very much other extreme customers using the existing  featureset like we do.
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
Is the visibility information you need simply MAC address, and possibly IP address?
Photo of M.Nees

M.Nees, Embassador

  • 9,168 Points 5k badge 2x thumb
To achieve simple visibility i need ip addresses or better usernames - a mac does not tell me easily which user or system is connected.
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
Do you use LACP for the forming of sharing groups? What is the RADIUS server? Is it FreeRadius?
Photo of M.Nees

M.Nees, Embassador

  • 9,168 Points 5k badge 2x thumb
Correct i use LACP! RADIUS is Enterasys NAC Gateway (= Freeradius Core)
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
What about Identity Management? It can detect identities through:
- FDB
- IPARP
- IPSecurity DHCP Snooping
- LLDP
- Netlogin
- Kerberos

This information can then be sent to NetSight to populate the user/host field in Identity and Access entries.

There's a script in NetSight to do this:
#######################################################################################
## The following configuration can be pushed from NetSight OneView Device IDM Script ##
#######################################################################################
enable identity-management
configure identity-management add ports <access ports>
create xml-notification target netsight-target_<NetSight IP> url https:// <NetSight
IP>:8443/axis/services/event vr VR-Mgmt
configure xml-notification target netsight-target_<NetSight IP> user root
enable xml-notification netsight-target_<NetSight IP>
configure xml-notification target netsight-target_<NetSight IP> add idMgr
#######################################################################################
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
Daniel, I was thinking that myself, but the crux of the problem is that he can't get user ID except through Kerberos snooping as he can't enable 802.1x on an LACP enabled port. If this were a virtualized environment, he could use DCM to capture VM information in NS, but I'm not sure that it is. If IP address is sufficient, this should work.
(Edited)
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
 If the servers belong to an AD domain, he'll get user/host info. If not, he'll get IP addresses. And he said that IP addresses would do...

Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
Correct. I'm just trying to think of a way he could get user information where an AD domain is not present. Were LACP not used (but instead static load-sharing/nic-teaming were used), this might be possible.
Photo of Volker Kull

Volker Kull

  • 1,620 Points 1k badge 2x thumb
Hello !

In case of future requirements for automation and SDN this funktion will be essential for all this activities. Using NAC/NMS für authentication of servers you can trigger there a lot of actions helping to get a platform for automation on the complete IT infrastructure like the SDN vision.
There will be no difference between access and datacenter ports. It ́s important to have the possibility to use all ports in the same way: authenticate, authorise and trigger actions based on the information from IT infrastructure (NMS, NAC, PV, 3rd-party, ...).

br
Volker
Photo of M.Nees

M.Nees, Embassador

  • 9,168 Points 5k badge 2x thumb
Just a short update.

Starting with EXOS 22.2  netlogin on sharing ports are possible:
https://gtacknowledge.extremenetworks.com/articles/Q_A/Is-Netlogin-supported-on-lag-ports

Starting with EXOS 22.4 netlogin on m-LAG ports are possible.
Photo of M.Nees

M.Nees, Embassador

  • 9,168 Points 5k badge 2x thumb
Just a second short update!

It is very important that sharing is enabled first! And after that netlogin as a second step (on the sharing master Port only!)

My customer uses Default Policies on every port - so this have to be removed also and than bind after sharing is done to the master port only.


If you wrap the sequence you get these errors:
* 10.1.1.206.32 # enable sharing 1 grouping 1-2 algorithm address-based L3_L4 lacp
Error: Load sharing cannnot be enabled on ports (1) configured for Network LogIn
* 10.1.1.206.33 #
If there is a Policy bind to the ports:
10.1.1.206.19 # enable sharing 1 grouping 1-2 algorithm address-based L3_L4 lacp
Error: Load sharing cannnot be enabled on ports (1) configured for Policy Convergence Endpoint (convergence-endpoint) or Admin Profile (admin-profile) rules
10.1.1.206.20 #
Regards
(Edited)