Header Only - DO NOT REMOVE - Extreme Networks
Question

Netlogin: MAC authentication against Clearpass Radius Server: Password missmatch

  • 15 July 2019
  • 2 replies
  • 304 views

maybe someone can shine some light on this: we are trying to use MAC authentication on x440-g2 switches against an aruba clearpass server with radius. we encountered the following problems:

  • we need to use the command "enable policy" to even use dot1x and MAC auth properly. as far as i know, this enables a newer radius stack. unfortunatly much of the documentation still uses the old stack. commands like "conf netlogin vlan nt_login" don't exist with the new stack. is there newer documentation about this? what exactly are the differences about these modes "enable/disable policy"
  • 6 months ago while testing the mac authentication worked, in the last tests, i get the following error from clearpass:MAC-AUTH: Password in request doesn't match username. Not attempting MAC authentication
The support guy from aruba told me, that MAC auth requires the username and password that get send to the radius server to be the same, which seems to not be the case here. we are currently using firmware 30.2.1.8.

6 months ago when it still worked we used version 22.6 or something. are there changes that went into the radius / netlogin stack?

This is the configuration we are currently using:

* sw309.6 # show config aaa
#
# Module aaa configuration.
#
configure radius netlogin primary server 10.231.131.209 1812 client-ip 172.28.32.52 vr VR-Default
configure radius netlogin primary shared-secret encrypted "********"
configure radius-accounting mgmt-access primary server 10.231.131.209 1813 client-ip 172.28.32.52 vr VR-Default
configure radius-accounting mgmt-access primary shared-secret encrypted "********"
configure radius-accounting netlogin primary server 10.231.131.209 1813 client-ip 172.28.32.52 vr VR-Default
configure radius-accounting netlogin primary shared-secret encrypted "********"
configure radius dynamic-authorization 1 server 10.231.131.209 client-ip 172.28.32.52 vr VR-Default shared-secret encrypted "********"
enable radius
enable radius mgmt-access
enable radius netlogin
enable radius-accounting mgmt-access
enable radius-accounting netlogin
enable radius dynamic-authorization
configure account admin encrypted "********"
create account admin adm encrypted "********"
create netlogin local-user "admin" encrypted "********" vlan-vsa switchnet

* sw309.7 # show config netlogin
#
# Module netLogin configuration.
#
enable netlogin dot1x mac
configure netlogin mac authentication database-order radius
enable netlogin ports 1-16 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted "*********"
* sw309.8 #

2 replies

we don't plan to use XMC, but without enable policy we couldn't mix mac and dot1x auth or couldn't authenticate more then one device per port, i'm not sure anymore.

anyway, your solution worked.

im a bit surprised, since last time, i used the same command:
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48

and the exos system appended the 'encrypted "***********"' part on its own. after removing the mac-list and reentering the same command, the encrypted part didn't get configured again and its working as intended.

thank you very much.

any informations if its possible to assign an ISID/NSI via netlogin? i guess if i can only supply a vlan-id without nsi, the vlans need to get configured with isid on the edge-switch prior to using netlogin?
Userlevel 6
If you plan to use XMC Extreme Control using policy config and send a radius "Filter-ID" then enable policy on the switch. If you plan for just authentication and vlan assignment then don't enable policy.

https://www.extremenetworks.com/product/extremecontrol/


The problem is with your MAC-list. If you configure a password it will take the MAC of the supplicant and use it for the username, and take your given password for the password for all MAC auth so they will never match. If you use the configuration below it will take the MAC of the supplicant and use it for the username and password.

Note: you will need to delete your old MAC-List

configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48

Reply