Header Only - DO NOT REMOVE - Extreme Networks

Authentication Mode Optional - Older Code


Userlevel 5
Hi,

In the process of configuring MAC based Netlogin on some older switches, the configuration will look something like the following:

create vlan nt_login
configure netlogin vlan nt_login
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
configure netlogin mac authentication database-order radius
configure netlogin ports 20-22 mode port-based-vlans
configure netlogin authentication failure vlan Default ports 20-22
configure netlogin authentication service-unavailable vlan Default ports 20-22
enable netlogin ports 20-22 mac
enable netlogin mac

What I would like to do is use the same function as the optional command:

configure netlogin port 20-22 authentication mode optional

Basically so that I'm not enforcing the authentication, just essentially putting it into monitoring mode, as the 'optional' command isnt available on the version being used.

From what I understand the device will be put into the 'nt_login' VLAN whilst its being authenticated, but ideally I wouldn't want the device to be removed / disconnected from the network at any point or for any condition, just want to put the data into NAC.

The other problem being I can't say replace the VLAN 'nt_login' in the 'configure netlogin vlan' command with the default VLAN the port is already configured for.

Hopefully that makes sense, and appreciate any ideas.

Many thanks in advance.

8 replies

Userlevel 6
Martin, take a look at netlogin in ISP mode. Then the port does not move to another vlan. This happens when radius does not give a vlan with the accept and the port stays in the same vlan and use netlogin to only allow or disallow the client.
Userlevel 5
OscarK wrote:

Martin, take a look at netlogin in ISP mode. Then the port does not move to another vlan. This happens when radius does not give a vlan with the accept and the port stays in the same vlan and use netlogin to only allow or disallow the client.

Hi Oscar, thanks for the quick response and the pointer, much appreciated.

I'll post back the config once I've looked it up and tested it.
Userlevel 5
Hi,

I've looked into the ISP mode and apparently the configuration is to use:

enable netlogin ports vlan

Problem is that command doesn't exist, so I'm a little stuck?!

enable netlogin ports 1-22?

dot1x Configure the 802.1x authentication protocol
mac Configure the MAC-Based authentication protocol
web Configure the web-based authentication protocol

Any ideas?

Many thanks
Userlevel 6
From memory you just add a port to the vlan you want and then enable netlogin on that port/
Userlevel 5
OscarK wrote:

From memory you just add a port to the vlan you want and then enable netlogin on that port/

Hi Oscar,

Sure did this:

enable netlogin ports 20-22

It then complains that a netlogin VLAN hasn't been defined. I'll give it a go in a bit and let you know.

Thanks
Userlevel 6
OscarK wrote:

From memory you just add a port to the vlan you want and then enable netlogin on that port/

Indeed you need to create that netlogin vlan, but that could be just a bogus vlan.
Assign the right vlan to the ports, then on netlogin authentication if the radius server only sends accept without vlan VSA it would work as ISP mode.
Userlevel 5
Thanks for getting back, and so quick again.

Reading through the EXOS user guide it defines ISP Mode as the following:

In ISP mode, the port and VLAN remain constant. Before the supplicant is authenticated, the port is in an unauthenticated state. After authentication, the port forwards packets.

That reads to me that although the VLAN remains constant it still seems reliant on authentication in order to pass traffic, otherwise the port would remain locked. With 'authentication mode optional' if RADIUS becomes unavailable the port will still forward... not sure what happens if you get a RADIUS reject back though, assume it will block?

Reading further I was wondering if the following command would achieve the same goal as optional:

configure netlogin move-fail-action authenticate

The discription for this is as follows:

If network login fails to perform Campus mode login, you can configure the switch to authenticate the client in the original VLAN or deny authentication even if the user name and password are correct.

The last bit of that sentence i'm not sure about though 'if the user name and password are correct', correct to what I wonder?

So my configuration would look like the following:

create vlan nt_login
configure netlogin vlan nt_login
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 password NOPASSWORD
configure netlogin mac authentication database-order radius
configure netlogin ports 20-22 mode mac-based-vlans
configure netlogin move-fail-action authenticate
enable netlogin ports 20-22 mac
enable netlogin mac

There looks like other commands I could use like:

configure netlogin authentication failure vlan Default ports 20-22
configure netlogin authentication service-unavailable vlan Default ports 20-22

So perhaps it just needs these?

Anyway, any other feedback would be great. Thanks
Userlevel 6
Yes, ISP would block the mac until it becomes authenticated. The move fail action might work but I doubt we allow it to be the same as the already assigned one. You need to test to see if that works.

Reply