topic RE: Netlogin unwanted MAC is authenticated locally in ExtremeCloud IQ- Site Engine Management Center

Netlogin unwanted MAC is authenticated locally

Chacko — Thu, 10 Aug 2017 18:43:00 GMT

Hi,

I'm a little bit confused:
We are using netlogin for a year and it's working like you would expect it:
A unknown MAC address shows up on the switch, is getting blocked and reported in EMS.

But now, I have a unwanted MAC address, which is authenticated locally, but is reported as rejected in EMS - but the switch authenticates the user and assign to the granted VLAN.

Here is the netlogin config:

#
# Module netLogin configuration.
#
configure netlogin vlan AUTH
enable netlogin mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
configure netlogin mac timers reauth-period 7200
enable netlogin ports 1:10-48,2:10-2:48 mac
configure netlogin ports 1:10-48,2:10-2:48 mode mac-based-vlans
configure netlogin ports 1:10-48,2:10-2:48 no-restart
enable netlogin authentication service-unavailable vlan ports 1:10-48,2:10-2:48
configure netlogin authentication service-unavailable vlan office ports 1:10-48,2:10-2:48

Radius is working, the switch is a X450e-48p (stacked) with EXOS 15.3.2.11

I'm happy for feedback

Best Regards
Chacko

RE: Netlogin unwanted MAC is authenticated locally

Karthik_Mohando — Tue, 15 Aug 2017 11:50:00 GMT

Hi Chacko,

Can you post the "show netlogin port and "show log" which has the login success message?

RE: Netlogin unwanted MAC is authenticated locally

Chacko — Tue, 15 Aug 2017 11:50:00 GMT

Hi Karthik,

here is the output:
# sh netlogin port 2:20
Port : 2:20
Port Restart : Disabled
Allow Egress : None
Vlan : AUTH
Authentication : mac-based
Port State : Enabled
Guest Vlan : Disabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Enabled
MAC IP address Authenticated Type ReAuth-Timer User
-----------------------------------------------
(B) - Client entry Blackholed in FDB
Port : 2:20
Port Restart : Disabled
Allow Egress : None
Vlan : office
Authentication : mac-based
Port State : Enabled
Guest Vlan : Disabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Enabled
MAC IP address Authenticated Type ReAuth-Timer User
10:4f:a8:XX:XX:XX 0.0.0.0 Yes, Locally MAC 7197 104FA8XXXXXX
-----------------------------------------------
(B) - Client entry Blackholed in FDB
And the log
Network Login MAC user 104FA8XXXXXX logged in MAC 10:4F:A8:XX:XX:XX port 2:20 VLAN(s) "office", authentication Locally
Port 2:20 link UP at speed 100 Mbps and full-duplex

RE: Netlogin unwanted MAC is authenticated locally

Karthik_Mohando — Tue, 15 Aug 2017 12:11:00 GMT

Chacko,

Is it possible to post the screenshot of the rejection message in the EMS?

Can you check if this MAC address is not present as local user in the switch itself?
The command is "show netlogin local-users"

In case if you have a radius server configured can you pose the "show config aaa" and does the radius request passed before the switch decided to do a local authentication? you can see this from the "show log" in case if the radius requests are failing

RE: Netlogin unwanted MAC is authenticated locally

Chacko — Tue, 15 Aug 2017 12:11:00 GMT

Hi,

sorry, I misspelled it - I meant EMC (management center):

First line is the configuration for our NAC appliances, so that policy is underneath the "allow if MAC and end-system group xxx"-policies.
Second line is the output in access control -> rejected end systems.

Radius is properly configured, the priority is default (radius, local), the local MAC users are empty.

There are no other log-entries related to authentication as soon as the ports comes up.
All the other netlogin devices are working fine on that switch and I can say to 100%, that the MAC address is not known in our Access Control database (first I built a script for checking it, and second, the right policy is chosen, so the MAC cannot be inside our end-system groups.

BR
Chacko

RE: Netlogin unwanted MAC is authenticated locally

Karthik_Mohando — Tue, 15 Aug 2017 12:49:00 GMT

Hi Chacko,

If the MAC is authenticated by EMC then we will see a different log message but by looking at the log message which you have shared the authentication has been processed locally by the switch

Network Login MAC user 104FA8XXXXXX logged in MAC 10:4F:A8:XX:XX:XX port 2:20 VLAN(s) "office", authentication Locally

I wanted to check if the local user database has this mac address or not and that can be checked using the command "show netlogin local-users" in the switch.

RE: Netlogin unwanted MAC is authenticated locally

Chacko — Tue, 15 Aug 2017 12:49:00 GMT

Hi,

okay, I can follow you:
Here is the output;
Slot-1 sw # sh netlogin local-users
Netlogin Local User Name Extended-VLAN VSA Security Profile
------------------------ ----------------------------- ----------------------
Slot-1 sw #So the local database is empty.

BR
Chacko

RE: Netlogin unwanted MAC is authenticated locally

Karthik_Mohando — Tue, 15 Aug 2017 13:10:00 GMT

Hi Chacko,

I would request you to pursue this issue with GTAC case as this needs further investigation.
15.3 version has already reached end of engineering hence it would be best to upgrade to the latest patch in 15.3 (15.3.5.2-patch1-14) and check if the issue is getting resolved before opening up the ticket.

RE: Netlogin unwanted MAC is authenticated locally

Chacko — Tue, 15 Aug 2017 13:10:00 GMT

Hi Karthik,

I updated the switch over night and so far, the problem hasn't occured again.
I hope there is no general netlogin problem in this software release - but the summit *50 will be out of contract next year anyway.

Thanks for your help

Best Regards
Chacko

RE: Netlogin unwanted MAC is authenticated locally

Karthik_Mohando — Wed, 16 Aug 2017 13:04:00 GMT

Hi Chacko,

Thanks for getting back on this, good to see that the issue is not seen.

RE: Netlogin unwanted MAC is authenticated locally

Chacko — Wed, 16 Aug 2017 13:04:00 GMT

Okay, I revoke the last one.
The issue is still active, even with 15.3.5.2-patch1-14.

I will open up a GTAC case with our external partner

BR
Chacko