Solved

VPEX with netlogin mac

  • 23 September 2020
  • 6 replies
  • 100 views

Userlevel 1

Hello,

some days ago we have built up our first vpex enviroment with netlogin mac enabled ports and redundant controller bridges. Allthought the netlogin request is positively answered by the nac-server the port goes in unautheticated state.

In the gtac kwonledge base I found the following article https://extremeportal.force.com/ExtrArticleDetail?n=000045881&q=vpex%20netlogin which give hints on a enabled policy. What we have to do to solve our problem?

Benjamin

icon

Best answer by Benjamin Kümmel 19 October 2020, 21:10

Hello,

here some words about my solution. As I’ve read now I need policies to solve my netlogin-problem in a vpex enviroment.

The first step was to enable policies on the switches and add some snmp write credentials so that the emc can push the policies to the switches.

Now I created on the emc a new empty policy domain and created one new policy role to give full access by permitting traffic. After saving these simple settings I distributed the policy to the switches by adding the newly created policy domain to the switches. Before that it was neccesary to add the new write credentials to the access profile.

After that I modified the given nac-configuration and modified the rules that emc now gives back the allow all policy to switches instead the enterprise user policy after a successful request.

Benjamin

View original

6 replies

Userlevel 4

Can you provide us the output of the following commands

show netlogin session ports 106:9
show configuration netlogin
show configuration policy

Do you see the client in the NAC End-Systems table?

Userlevel 1

Hello Stefan,

thank you for your demand. Here are the informations:

* (orchestration cb-schloss-02) Slot-1 VPEX cb-schloss-01.7 # sh netl por 106:9
Port                          : 106:9
Port Restart                  : Disabled
Allow Egress                  : Broadcast, Unicast
Vlan                          : vlan-mag-reykjavik
Authentication                : mac-based
Port State                    : Enabled
Authentication Mode           : Required (Policy Enabled only)
Max Supported Users           : 24576 (Policy Enabled only)
Allowed Users                 : 128 (Policy Enabled only)
Current Users                 : 0 (Policy Enabled only)
Auth Failure Vlan             : Disabled
Auth Service-Unavailable Vlan : Disabled
------------------------------------------------
        MAC Mode Port Configuration
------------------------------------------------
Re-authentication period      : 3600
Re-authentication             : Off
Authentication Delay          : 0 seconds (Default)
------------------------------------------------
        Netlogin Clients
------------------------------------------------

MAC                IP address       Authenticated     Type    ReAuth-Timer   User
-----------------------------------------------
(B) - Client entry Blackholed in FDB


Number of Clients Authenticated  : 0
* (orchestration cb-schloss-02) Slot-1 VPEX cb-schloss-01.8 # sh conf netlogin
#
# Module netLogin configuration.
#
configure netlogin vlan dummy
enable netlogin mac
configure netlogin mac authentication database-order radius
enable netlogin ports 106:9 mac
configure netlogin ports 106:9 mode mac-based-vlans
configure netlogin ports 106:9 no-restart
configure netlogin ports 106:9 allow egress-traffic all_cast
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
* (orchestration cb-schloss-02) Slot-1 VPEX cb-schloss-01.9 # sh conf polic
#
# Module policy configuration.
#
* (orchestration cb-schloss-02) Slot-1 VPEX cb-schloss-01.10 #

I’ve seen the need to use policies. I hope that this feature is easy to implement.

Greetings

Benjamin

Userlevel 6
Badge +1

Benjamin,

Have a look here: https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-bind-a-policy-to-a-user-with-freeradius/

Your radius seems to be answering with a policy name starting with “enterprise...” but the screenshot is cutting the end of the name. This name is the TestPolicy in the example.

Mig

Userlevel 1

Hello,

thank for the hint on the polices. With this info in mind I was able to create a good solution on our Extreme Management Center.

Greetings

Benjamin

Userlevel 6
Badge +1

Very good,

Please share you solution to help the community!

thanks

Mig

Userlevel 1

Hello,

here some words about my solution. As I’ve read now I need policies to solve my netlogin-problem in a vpex enviroment.

The first step was to enable policies on the switches and add some snmp write credentials so that the emc can push the policies to the switches.

Now I created on the emc a new empty policy domain and created one new policy role to give full access by permitting traffic. After saving these simple settings I distributed the policy to the switches by adding the newly created policy domain to the switches. Before that it was neccesary to add the new write credentials to the access profile.

After that I modified the given nac-configuration and modified the rules that emc now gives back the allow all policy to switches instead the enterprise user policy after a successful request.

Benjamin

Reply