ExtremeSwitching (EXOS)

 View Only

 5420F and macmon

Franz R.'s profile image
Franz R. posted 08-01-2022 04:56
Dear community,

we have one problem with our new Switches from Extreme an macmon nac. All of the new Switches doesn't show the correct 802.1X Status in macmon. They show "unauthorized" although they are authorized. It seems as if the 802.1X MAC Bypass isn't correct. The 802.1X radius looks good.

Any idea? Any experiences with this topic?

Thanks an kind regards

Franz
OscarK's profile image
OscarK
I dont know macmon but I assume you use macmon as radius server.
Weird if the switch shows authenticated but the radius server that did send the accept does not show that.

How does macmon determine the port status, SNMP, radius accounting ?
Try to find out how it does that and troubleshoot. that part.
Stefan K.'s profile image
Stefan K.
Hi,
what do you mean with "802.1x MAC bypass"?

Just to make sure: Everything is working fine, clients are working and are authorized, but in Macmon you see that they are unauthorized?
Franz R.'s profile image
Franz R.
Hi and Thank you for the response,

yes, we use macmon as radius server. I don't know how macmon determine the port status.

MAC bypass, i mean that there are devices without username, password and / or certifikate. This devices will explicit released with them mac-address. This devices are for e.g. accesspoints or cams. We use macmon to monitor this devices and react before there are problems. A User call us because the client have no connection. A camera doesn't this. 
Stefan K.'s profile image
Stefan K.

Care to share your switch config (the relevant parts)? And also share a "show netlogin session port x", preferably of a port where a user is connect and of a port where a camera is connected.

Best regards

Stefan

Franz R.'s profile image
Franz R.
Which part of Switch configuration do you need and how can i share this?

"show netlogin session port x" files are attached. The second one is from a printer, but the bahaviour is the same.
Stefan K.'s profile image
Stefan K.
The second client shows "Auth status: failed" for 802.1x, so there is something wrong with the 802.1x config. It depends on the end-system what happens in such a case... Some end-systems will stop doing 802.1x Auth and fallback to mac-auth, but others won't function, depending on the configuration. (afaik)
On windows this is called "Fallback to unautorized network access" I believe.
Franz R.'s profile image
Franz R.
OK, i understand and it sounds logical.

But we have exact the same end-systems on older extreme switches, eg. 4950GTS (i think this is EOS) and this works fine. macmon shows the correct status. So i think this is not a client problem.
Stefan K.'s profile image
Stefan K.
Okay, that's strange. Is 802.1x configured on those 4950GTS (they are Avaya btw)? Maybe the clients only do MAC-Auth there?
What does "show log" displays, when you connect the client on the 5420?

Viele Grüße
Stefan
Franz R.'s profile image
Franz R.
This is a log from yesterday with a printer on the port:

08/01/2022 12:08:14.14 <Noti:nl.ClientAuthFailure> Authentication failed for Network Login 802.1x user Mac 17:22:c7:12:ea:bd port 3
08/01/2022 12:08:14.14 <Noti:nl.Dot1xClientAuthFail> Authentication failed for Network Login 802.1x user Mac 17:22:c7:12:ea:bd port 3 because either the supplicant does not support dot1X or the supplicant has not responded to the EAPOL PDUs.
OscarK's profile image
OscarK
So this is an EXOS switch, if a mac authentication happens it will try a dot1x authentication also. If there is a device behind that does not do dot1x it will show this log entry. And show netlogin session will show a success mac auth session and a failed dot1x session.
This is normal behavior for EXOS.
Franz R.'s profile image
Franz R.
OK, i asked the macmon support too. They answered:

The manufacturer probably does not implement a MAC bypass authentication as a Radius status and only sets the status correctly for a pure Radius (certificate or user/host) authentication.
You should ask the manufacturer about this.
Is there a mib table in exos which shows the status of the mac auth session? Possibly macmon can implement this mib table entry a additionally column.
Stefan K.'s profile image
Stefan K.
Sorry, I'm still wondering what exactly is the problem. Is it only about the Auth status in Macmon or is there anything else regarding the authentication that is not working?
Franz R.'s profile image
Franz R.
Danke für die Antwort.

Maybe its just a Problem with our way of working ;-)

There are two problems with this.
First, every morning I scan our devices to see if there are any devices like cameras, access control, etc. that aren't online.

The second issue is that sometimes when a device like this isn't online, the problem is authentication. Then it works if I toggle authentication off and on.
Stefan Walser's profile image
Stefan Walser
Hi,

we have downloaded the mib file for our exos version. I can't find the right OID to readout if a device on a port is authenticated by dot1x or mac.
On the Switch i can see those information with this command. Does anyone know if there is an OID which readout that information?

We also need an OID to toggle mac based authentication. On the exos switch the commands would be:
disable netlogin port X mac
enable netlogin port X mac

Best regards
Stefan
Stefan Walser's profile image
Stefan Walser
Hi,

after going through the mib file for several hours i think i found the right OIDs to do what we need. I have not tested it through. Maybe someone can tell me if i am on the right way :) I have just imported the mib file (for our envirement it was for exos Version 31.5.1.6) into a mib file explorer and going through every OID.

With this table you are able to read out if mac based authentication is enabled on which port. You are also able to make changes regarding mac-based authentication on a specific port.
etsysMACAuthenticationPortConfigTable
1.3.6.1.4.1.5624.1.2.25.1.2.1

Example:
Port 1 MAC based auth Off/on
etsysMACAuthenticationPortEnable
1.3.6.1.4.1.5624.1.2.25.1.2.1.1.4.1001 = 2(disabled) 1 (enabled)

Reauthenticate Devices on Port 1 -> A Read allways return 2(false)
etsysMACAuthenticationPortInitialize
1.3.6.1.4.1.5624.1.2.25.1.2.1.1.2.1001 = 1(true) 2(false)

This OID reads out the current mac-based authenticated devices and lists them with the index number of the port:
etsysMACAuthenticationMACConfigTable
1.3.6.1.4.1.5624.1.2.25.1.3.1

To read out the Authentication State of a specific Port you can use this table
etsysMultiAuthSessionPortTable
1.3.6.1.4.1.5624.1.2.46.1.4.2

In this table you can find a list of index numbers (ports) and if a device is authenticated or not on this port. Also you can see which authentication methode works or not. For Exampel dot1x fails but mac-based authentication was successful.
The possible Authentication States are:
authSuccess(1), authFailed(2), authInProgress(3), authServerTimeout(4), authTerminated(5)

The status of authentication for this session. A value of authSuccess(1) means authentication was attempted and succeeded. A value of authFailed(2) means authentication was attempted and failed for a reason other than communication timing out with the authorization server. A value of authInProgress(3) means that the authorization process has been started but has not completed yet. A value of authServerTimeout(4) means that the request to the authorization server for this session timed out without a reply from the server. A value of authTerminated(5) indicates that the session was active or in progress and was subsequently terminated. A session may be terminated for several reasons, including but not limited to, session timeout, idle timeout, the ifOperStatus of the interface on which the session was authenticated transitioning out of the up(1) state, or explicit administrative management action.

Best regards
Stefan