topic RE: Netlogin for NAC not working on Extreme x440 and x430 Switches in ExtremeCloud IQ- Site Engine Management Center

Netlogin for NAC not working on Extreme x440 and x430 Switches

Sandeep_Sriniva — Thu, 22 Dec 2016 03:16:00 GMT

We have deployed NAC and applied the rules and enabled Netlogin on x430 and x440 switches with ExtremeXOS version 16.2.1.6. The MAC authentication shows passed in Netsight and in switch however its not applied in reality if the switch doesnt have the ports configured to the repective vlan.
We are lost in this are we missing something in the configuration.

Here is the configuration on the switch.

create vlan NACauth
configure netlogin vlan NACauth
enable netlogin dot1x mac
configure netlogin authentication protocol-order dot1x mac web-based
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 password voxmac
enable netlogin ports 1-23 dot1x
enable netlogin ports 1-23 mac
configure netlogin ports 1-23 mode mac-based-vlans
configure netlogin ports 1-23 no-restart

RE: Netlogin for NAC not working on Extreme x440 and x430 Switches

Jeremy_Gibbs — Thu, 22 Dec 2016 03:34:00 GMT

Are you enabling authentication on the ports?

configure netlogin port 1-23 authentication mode optional

RE: Netlogin for NAC not working on Extreme x440 and x430 Switches

Ilya_Semenov — Thu, 22 Dec 2016 03:34:00 GMT

There is no such command in EXOS 16.x

Is there any analog for it?

Thanks

RE: Netlogin for NAC not working on Extreme x440 and x430 Switches

Sandeep_Sriniva — Thu, 22 Dec 2016 03:43:00 GMT

Yes, we are enabling the authentication on the Ports we have 5 vlans and once the MAC address is reflected on the Netsight we move them to particular group.

Example - I have connected laptop on port 20 and vlan 20 has to assigned after I move it to the group in Netsight, this is not working until the vlan 20 is configured on the switch.

Netsight should override the switch configuration, we have G2 switches which are working perfectly fine.

RE: Netlogin for NAC not working on Extreme x440 and x430 Switches

Keith_Obermeier — Thu, 22 Dec 2016 04:19:00 GMT

I'm using a 460G2, but the config should be the same. In the end I added the switches to nac mgr as manual switches and did the following config in cli: # Module netLogin configuration. # enable netlogin dot1x mac configure netlogin authentication protocol-order dot1x mac web-based enable netlogin ports 1:1-48 dot1x enable netlogin ports 1:1-48 mac configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted configure netlogin mac timers reauth-period 90 configure netlogin mac username format hyphenated # Module aaa configuration. # configure radius netlogin primary server 1812 client-ip vr VR-Default configure radius netlogin primary shared-secret encrypted configure radius netlogin secondary server 1812 client-ip vr VR-Default configure radius netlogin secondary shared-secret encrypted configure radius-accounting netlogin primary server 1813 client-ip vr VR-Default configure radius-accounting netlogin primary shared-secret encrypted configure radius-accounting netlogin secondary server 1813 client-ip configure radius timeout 20 configure radius mgmt-access timeout 20 configure radius netlogin timeout 20 enable radius-accounting disable radius-accounting mgmt-access enable radius-accounting netlogin

RE: Netlogin for NAC not working on Extreme x440 and x430 Switches

Ronald_Dvorak — Thu, 22 Dec 2016 04:32:00 GMT

Did you see a error message like the below one in the switch...

# show log

12/21/2016 23:25:18.73 VLAN Tag 234 specified in Radius VSA does not exist on the switch or cannot be created. Please verify RADIUS configuration

RE: Netlogin for NAC not working on Extreme x440 and x430 Switches

Ronald_Dvorak — Thu, 22 Dec 2016 04:58:00 GMT

That should do the trick...

http://documentation.extremenetworks.com/exos_22.1/exos_21_1/netlogin/c_configuring-dynamic-vlans-fo...

# enable the switch to create/delete VLANs d
configure netlogin dynamic-vlan enable

# enable the switch to create/delete the VLAN tagged on the uplink - in this example on port#1
# only needed if you'd like to have the VLAN also on the uplink
configure netlogin dynamic-vlan uplink-ports 1

* X430-48t.62 # sh log12/21/2016 23:55:28.49 Network Login MAC user 14DAE9EC029F logged in MAC 14:DA:E9:EC:02:9F port 33 VLAN(s) "SYS_VLAN_0234", authentication Radius
12/21/2016 23:55:28.26 Port 33 link UP at speed 1 Gbps and full-duplex

RE: Netlogin for NAC not working on Extreme x440 and x430 Switches

Sandeep_Sriniva — Thu, 22 Dec 2016 17:27:00 GMT

Here are logs...
12/22/2016 10:24:53.41 Port=47: No associated STP port fo r STP Domain tag 1 (Rate-limited)12/22/2016 10:24:47.43 Authentication failed for Net work Login 802.1x user host/TRYNTA02 Mac 6C:0B:84:08:B7:DE port 12
12/22/2016 10:24:45.40 Login passed for user admin through t elnet (10.210.1.241)
12/22/2016 10:24:41.41 Port=47: No associated STP port fo r STP Domain tag 1 (Rate-limited)
12/22/2016 10:24:29.84 Authentication failed for Net work Login 802.1x user host/CANNTA05 Mac 6C:AE:8B:0B:DF:51 port 14
12/22/2016 10:24:29.41 Port=47: No associated STP port fo r STP Domain tag 1 (Rate-limited)
12/22/2016 10:24:23.14 Authentication failed for Net work Login 802.1x user host/VGNTA02 Mac 6C:AE:8B:0B:DF:C5 port 3 3
12/22/2016 10:24:17.41 Port=47: No associated STP port fo r STP Domain tag 1 (Rate-limited)
12/22/2016 10:24:05.40 Port=47: No associated STP port fo r STP Domain tag 1 (Rate-limited)
12/22/2016 10:24:04.37 Authentication failed for Net work Login 802.1x user host/CANNTA03 Mac 6C:AE:8B:0B:E5:05 port 4
12/22/2016 10:24:01.71 Authentication failed for Net work Login 802.1x user host/CANNTA02 Mac 6C:AE:8B:0B:E3:DE port 25
12/22/2016 10:23:58.83 Authentication failed for Net work Login 802.1x user host/CANNTA08 Mac 6C:AE:8B:0B:E3:B3 port 26

RE: Netlogin for NAC not working on Extreme x440 and x430 Switches

Sandeep_Sriniva — Fri, 23 Dec 2016 17:50:00 GMT

Finally found out the mistake, which applying policy on the switch I had selected VLAN_Name instead of VLAN_ID after changing it, enforced the policy and tested. Its working !!! 🙂