Prusso was helping me with this but I think he's busy. wondering if one you can please help me with this? below is the history of my request:
I have been working on configuring Netlogin at our network. I have been successful so far for Pcs, apple Macs, phones and APs etc. but now I would like to setup a failure Vlan for the un-authenticated users. so once an untrusted device is connected and authentication fails they are dropped into a guest vlan?
Do you know what commands and steps I need to achieve that including any steps I need to take on the server as I am using Microsoft AD and NPS.
This is my third post as last two were un answered, I am hoping to receive a quick response on this one.
your help will be highly appreciated.
http://ethernation.net/DesktopModules/Forum/Themes/Default/Images/headfoot_height.gif 7/5/2013 7:30 PM http://ethernation.net/DesktopModules/Forum/Themes/Default/Images/headfoot_height.gif
Joined: 7/15/2009 Posts: 343
Re: NETLogin failure vlan
Here are some things that might help. First understand that the guest VLAN is not used for users that fail authentication but for users who do not have 802.1X installed Note: The supplicant does not move to a guest VLAN if it fails authentication after an 802.1x
exchange; the supplicant moves to the guest VLAN only if it does not respond to an 802.1x
Keep in mind the following guidelines when configuring guest VLANs:
You must create a VLAN and configure it as a guest VLAN before enabling the guest VLAN feature.
• Configure guest VLANs only on network login ports with 802.1x enabled .
• Movement to guest VLANs is not supported on network login ports with MAC-based or web-based
• 802.1x must be the only authentication method enabled on the port for movement to guest VLAN.
• No supplicant on the port has 802.1x capability.
Create Guest VLANs
If you configure a guest VLAN, and a supplicant has 802.1x disabled and does not respond to 802.1x
authentication requests from the switch, the supplicant moves to the guest VLAN. Upon entering the
guest VLAN, the supplicant gains limited network access
To create a guest VLAN, use the following command:
configure netlogin dot1x guest-vlan
Enable Guest VLANs
To enable the guest VLAN, use the following command:
enable netlogin dot1x guest-vlan ports [all | ]
Hope this helps
http://ethernation.net/DesktopModules/Forum/Themes/Default/Images/headfoot_height.gif 7/9/2013 3:02 PM http://ethernation.net/DesktopModules/Forum/Themes/Default/Images/headfoot_height.gif
Joined: 1/19/2012 Posts: 22
Re: NETLogin failure vlan+ HELP
Edit Quote Reply
As Always it was very helpful and I really appreciate this. However, this netlogin failure vlan is already configured at one of this Network sites, and the configuration is as follows:
configure netlogin vlan LoginVLAN
enable netlogin dot1x mac
configure netlogin mac authentication database-order radius
enable netlogin ports 1:1-48, 2:1-48, 3:1-48, 4:1-48, 5:1-42, 5:45-48 dot1x
enable netlogin ports 1:1-48, 2:1-48, 3:1-48, 4:1-48, 5:1-42, 5:45-48 mac
configure netlogin ports 1:1 mode port-based-vlans(this command is applied to every port)
configure netlogin ports 1:1 no-restart(this command is applied to every port)
enable netlogin authentication failure vlan ports 1:1-48, 2:1-48, 3:1-48, 4:1-48, 5:1-48
configure netlogin authentication failure vlan GuestLAN ports 1:1-48, 2:1-48, 3:1-48, 4:1-48, 5:1-42, 5:45-48
and this works for that part of the network. but when I use the same commands on a different site of this network it dont work. the ports just stay in the netlogin and wont move to the GuestLAN. and just to troubleshoot this I statically assigned a user to the guestLAN vlan and it works as the user get limited connectivity. Aside from this, everything else is working fine.
Look forward to hearing form you soon.