Netlogin MAC auth not triggering RADIUS

Anonymous — Wed, 11 Apr 2018 16:17:00 GMT

Hi,

Believe this was working at some point but can't workout where the issue is, but in summary when an end-system is connected to a MAC auth enabled port (22 in this case) its not triggering the RADIUS exchange. This is showing up in the RADIUS counters on the switch remaining 0, and a TCPDUMP on the RADIUS server (NAC) are showing nothing hitting it?

Everything seems to be enabled and configured correctly from what I can tell, no messages are showing in the switch logs, and the switch has been rebooted?

Here is the config:

AAA Configuration:

configure radius netlogin 1 server 10.23.23.142 1812 client-ip 10.255.5.13 vr VR-Default
configure radius 1 shared-secret encrypted "#$IUJ6KZp7XE/QtheSL51gMgVphQvqTQtWtlcSTGc2"
configure radius netlogin 2 server 10.23.23.12 1812 client-ip 10.255.5.13 vr VR-Default
configure radius 2 shared-secret encrypted "#$6ruCKApEePMNVH5CaJp4MwIyg7tNkJpaqKVmet19"
configure radius-accounting netlogin 1 server 10.23.23.142 1813 client-ip 10.255.5.13 vr VR-Default
configure radius-accounting 1 shared-secret encrypted "#$9+bcdiIS9MEBn1zwdRrI+ROwhz0eYfhA6/dJq9ym"
configure radius-accounting 1 timeout 10
configure radius-accounting netlogin 2 server 10.23.23.12 1813 client-ip 10.255.5.13 vr VR-Default
configure radius-accounting 2 shared-secret encrypted "#$p0z1KNo1/B+DgUPPirDnar+R7NScnzCxeonbJIkH"
configure radius-accounting 2 timeout 10
enable radius
disable radius mgmt-access
enable radius netlogin
configure radius timeout 15
enable radius-accounting
disable radius-accounting mgmt-access
enable radius-accounting netlogin
configure account all password-policy min-length 8
configure account all password-policy lockout-on-login-failures on
configure account all password-policy lockout-time-period 5 minutes

Netlogin Configuration:

configure netlogin vlan nt_login
enable netlogin mac
configure netlogin mac authentication database-order radius
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
enable netlogin ports 20-22 mac
configure netlogin ports 20 mode port-based-vlans
configure netlogin ports 20 no-restart
configure netlogin ports 21 mode port-based-vlans
configure netlogin ports 21 no-restart
configure netlogin ports 22 mode port-based-vlans
configure netlogin ports 22 no-restart
configure netlogin authentication failure vlan Default ports 20-22
configure netlogin authentication service-unavailable vlan Default ports 20-22

Show Radius:

Radius Default State: enabled
Radius Default Timeout: 15 seconds
Radius Algorithm: standard
Radius Retries: 3
Switch Management Radius: disabled
Switch Management Radius server connect time out: 15 seconds *
Switch Management Radius Accounting: disabled
Switch Management Radius Accounting server connect time out: 3 seconds
Netlogin Radius: enabled
Netlogin Radius server connect time out: 15 seconds *
Netlogin Radius Accounting: enabled
Netlogin Radius Accounting server connect time out: 3 seconds
Radius server : 1 Status is Active
host name :
IP address : 10.23.23.142
Server IP Port: 1812
Client address: 10.255.5.13 (VR-Default)
Retries : 3 *
Timeout : 15 *
Realm : Netlogin
shared secret : #$IUJ6KZp7XE/QtheSL51gMgVphQvqTQtWtlcSTGc2
Access Requests : 0 Access Accepts : 0
Access Rejects : 0 Access Challenges : 0
Access Retransmits: 0 Client timeouts : 0
Bad authenticators: 0 Unknown types : 0
Round Trip Time : 0
Radius server : 2 Status is Active
host name :
IP address : 10.23.23.12
Server IP Port: 1812
Client address: 10.255.5.13 (VR-Default)
Retries : 3 *
Timeout : 15 *
Realm : Netlogin
shared secret : #$6ruCKApEePMNVH5CaJp4MwIyg7tNkJpaqKVmet19
Access Requests : 0 Access Accepts : 0
Access Rejects : 0 Access Challenges : 0
Access Retransmits: 0 Client timeouts : 0
Bad authenticators: 0 Unknown types : 0
Round Trip Time : 0
Radius Acct server: 1 Status is Active
host name :
IP address : 10.23.23.142
Server IP Port: 1813
Client address: 10.255.5.13 (VR-Default)
Retries : 3
Timeout : 10
Realm : Netlogin
shared secret : #$9+bcdiIS9MEBn1zwdRrI+ROwhz0eYfhA6/dJq9ym
Acct Requests : 0 Acct Responses : 0
Acct Retransmits : 0 Timeouts : 0
Radius Acct server: 2 Status is Active
host name :
IP address : 10.23.23.12
Server IP Port: 1813
Client address: 10.255.5.13 (VR-Default)
Retries : 3
Timeout : 10
Realm : Netlogin
shared secret : #$p0z1KNo1/B+DgUPPirDnar+R7NScnzCxeonbJIkH
Acct Requests : 0 Acct Responses : 0
Acct Retransmits : 0 Timeouts : 0
Legend: An asterisk (*) indicates a global value is in use.

Show netlogin port 22

Port : 22
Port Restart : Disabled
Allow Egress : None
Vlan : ELRP-Ctrl
Authentication : mac-based
Port State : Enabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Disabled
------------------------------------------------
MAC Mode Port Configuration
------------------------------------------------
Re-authentication period : 3600
Re-authentication : Off
Authentication Delay : 0 seconds (Default)
------------------------------------------------
Netlogin Clients
------------------------------------------------
MAC IP address Authenticated Type ReAuth-Timer User
-----------------------------------------------
(B) - Client entry Blackholed in FDB
Port : 22
Port Restart : Disabled
Allow Egress : None
Vlan : Hitchin_VC_1st
Authentication : mac-based
Port State : Enabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Disabled
------------------------------------------------
MAC Mode Port Configuration
------------------------------------------------
Re-authentication period : 3600
Re-authentication : Off
Authentication Delay : 0 seconds (Default)
------------------------------------------------
Netlogin Clients
------------------------------------------------
MAC IP address Authenticated Type ReAuth-Timer User
-----------------------------------------------
(B) - Client entry Blackholed in FDB

Number of Clients Authenticated : 0

Show port 22 information detail:

Port: 22(ARE-RH-L1-10):
Description String: "VC Reservered Ports"
Virtual-router: VR-Default
Type: UTP
Redundant Type: NONE
Random Early drop: Unsupported
Admin state: Enabled
Copper Medium Configuration: 100M full-duplex auto-polarity on
Fiber Medium Configuration: auto-speed sensing auto-duplex
Link State: Active, 100Mbps, full-duplex
Link Ups: 2 Last: Wed Apr 11 10:35:30 2018
Link Downs: 1 Last: Wed Apr 11 10:35:16 2018
VLAN cfg:
Name: ELRP-Ctrl, 802.1Q Tag = 3100, MAC-limit = No-limit, Virtual router: VR-Default
Port-specific VLAN ID: 3100
Name: Hitchin_VC_1st, Internal Tag = 1002, MAC-limit = No-limit, Virtual router: VR-Default
STP cfg:
Protocol:
Name: Hitchin_VC_1st Protocol: ANY Match all protocols.
Trunking: Load sharing is not enabled.
EDP: Enabled
EEE: Disabled
ELSM: Disabled
Ethernet OAM: Disabled
Learning: Enabled
Unicast Flooding: Enabled
Multicast Flooding: Enabled
Broadcast Flooding: Enabled
Jumbo: Disabled
Flow Control: Rx-Pause: Disabled Tx-Pause: Disabled
Priority Flow Control: Disabled
Reflective Relay: Disabled
Link up/down SNMP trap filter setting: Disabled
Egress Port Rate: No-limit
Broadcast Rate: 300 packets-per-second
Multicast Rate: No-limit
Unknown Dest Mac Rate: No-limit
QoS Profile: None configured
Ingress Rate Shaping : Unsupported
Ingress IPTOS Examination: Enabled
Ingress 802.1p Examination: Disabled
Ingress 802.1p Inner Exam: Disabled
Ingress 802.1p Priority: 0
Egress IPTOS Replacement: Disabled
Egress 802.1p Replacement: Disabled
NetLogin: Enabled
NetLogin authentication mode: MAC based
NetLogin port mode: Port based VLANs
Smart redundancy: Enabled
Software redundant port: Disabled
IPFIX: Disabled Metering: Ingress, All Packets, All Traffic
IPv4 Flow Key Mask: SIP: 255.255.255.255 DIP: 255.255.255.255
IPv6 Flow Key Mask: SIP: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
DIP: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
auto-polarity: Enabled
Preferred medium: Fiber
Shared packet buffer: default
VMAN CEP egress filtering: Disabled
Isolation: Off
PTP Configured: Disabled
Time-Stamping Mode: None
Synchronous Ethernet: Unsupported
Dynamic VLAN Uplink: Disabled
VM Tracking Dynamic VLANs: Disabled

Verbose logs from NAC:

2018-04-11 11:51:50,176 INFO [esd] Enabling verbose diagnostics for MAC: 00-13-FA-0B-19-11
2018-04-11 11:51:57,811 DEBUG [esd] ESDMAC:0B-19-11 EndSystemActionRequestHandler - Processing action: (reauthentication) on end system: 00-13-FA-0B-19-11, IP: null, user: , reason: UserSpecified(USER_INITIATED_REAUTH), from appliance: false
2018-04-11 11:51:57,813 DEBUG [esd] ESDMAC:0B-19-11 EndSystemActionRequestHandler - This NAC engine is the current appliance, so reauth.
2018-04-11 11:51:57,813 DEBUG [esd] ESDMAC:0B-19-11 EndSystemActionRequestHandler - Reauthing end system: 00-13-FA-0B-19-11
2018-04-11 11:51:57,813 DEBUG [esd] ESDMAC:0B-19-11 ReauthTask - Calculating if a re-authentication really needs to be performed for reason: USER_INITIATED_REAUTH.
2018-04-11 11:51:57,813 DEBUG [esd] ESDMAC:0B-19-11 ReauthTask - The re-authentication request is being processed because the reauth reason: "USER_INITIATED_REAUTH" is not for a data change.
2018-04-11 11:51:57,814 DEBUG [esd] ESDMAC:0B-19-11 ReauthTask - Re-authentication running for Switch: 10.255.5.13, Port : 1022, Port Name : 1:22, Port Alias: VC Reservered Ports, MAC: 00-13-FA-0B-19-11, Reason: USER_INITIATED_REAUTH
2018-04-11 11:51:57,814 INFO [esd] ESDMAC:0B-19-11 ReauthSnmpTask - Executing Reauth for MAC: 00-13-FA-0B-19-11, IP: null for NAS switch 10.255.5.13 switchPort 1022 reason: USER_INITIATED_REAUTH all sessions
2018-04-11 11:51:57,814 DEBUG [esd] ESDMAC:0B-19-11 ReauthSnmpTask - Not using toggle link for session: AUTH_MAC => Rejected: false shouldToggleLinkForRejectedEapTlsOnReauth: true ID: 2025282951
2018-04-11 11:51:57,814 INFO [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - Starting Extreme Reauthentication for MAC: 00-13-FA-0B-19-11 on switch: 10.255.5.13 and port: 1022
2018-04-11 11:51:57,814 DEBUG [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - *Not* using port initialization (Switch setting for: 1.3.6.1.4.1.1916.2.175 use initialize: false) & (Attributes to send: No Attributes use initialize: false)
2018-04-11 11:51:57,814 INFO [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - Reauthenticating using Dot1X Auth Reauthenticate for MAC: 00-13-FA-0B-19-11
2018-04-11 11:51:57,814 DEBUG [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - using OID: 1.0.8802.1.2.1.2.1.2.1.2.0.19.250.11.25.17
2018-04-11 11:51:58,062 DEBUG [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - Unable set dot1xAuthReauthenticate2(1.0.8802.1.2.1.2.1.2.1.2.0.19.250.11.25.17) from switch: 10.255.5.13, with error: Error writting to OID: "1.0.8802.1.2.1.2.1.2.1.2.0.19.250.11.25.17", with value: 1", with SNMP error: SNMP_ERROR_COMMIT_FAILED.
2018-04-11 11:51:58,062 DEBUG [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - Clearing of 802.1X sessions for entire port is *not* allowed, so skipping reauthenticating using dot1xPaePortReauth for switch port: 1022
2018-04-11 11:51:58,062 INFO [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - Reauthenticating using Extreme MAC Auth Client Reauthenticate OID for MAC: 00-13-FA-0B-19-11
2018-04-11 11:51:58,062 DEBUG [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - using OID: 1.3.6.1.4.1.1916.1.44.1.1.1.3.0.19.250.11.25.17
2018-04-11 11:51:58,240 DEBUG [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - Unable set OID: (1.3.6.1.4.1.1916.1.44.1.1.1.3.0.19.250.11.25.17) for switch: 10.255.5.13, with error: Error writting to OID: "1.3.6.1.4.1.1916.1.44.1.1.1.3.0.19.250.11.25.17", with value: 1", with SNMP error: SNMP_ERROR_NOT_WRITEABLE.
2018-04-11 11:51:58,240 DEBUG [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - *Not* falling back to toggle link because option is disabled.
2018-04-11 11:51:58,240 DEBUG [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - 802.1X Reauthentication was: *not* successful
2018-04-11 11:51:58,240 DEBUG [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - MAC Reauthentication was: *not* successful
2018-04-11 11:51:58,240 INFO [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - Reauthentication was: *not* successful
2018-04-11 11:51:58,240 DEBUG [esd] ESDMAC:0B-19-11 ReauthTask - Re-authentication failed. Switch: 10.255.5.13, Port : 1022, Port Name : 1:22, Port Alias: VC Reservered Ports, MAC: 00-13-FA-0B-19-11, Reason: USER_INITIATED_REAUTH
The switch is a X440G1 running version 16.2.3.5 patch1-3

Thanks for any help in advance.

RE: Netlogin MAC auth not triggering RADIUS

Pawel_Zwierzyns — Wed, 11 Apr 2018 16:51:00 GMT

Hi
What kind of end system did you connect? I had these problem, just end system didn't generate any traffic.

Regards

RE: Netlogin MAC auth not triggering RADIUS

Anonymous — Wed, 11 Apr 2018 16:56:00 GMT

It is a Video Conferencing device. Could possibly be due to that, but the solution was previously working and additionally works at another site.

Nonetheless, you never know.... so a good call.

I'll post back the results. Thanks

RE: Netlogin MAC auth not triggering RADIUS

Ahmed_Haroun — Wed, 11 Apr 2018 17:36:00 GMT

Hi,

if this is a silent device then you need to make sure of two things:

1- the vlan where the device should go must be added explicitly to the port before enabling netlogin.
2- this command looks missing from your config :
configure netlogin ports 22 allow egress-traffic all_cast

RE: Netlogin MAC auth not triggering RADIUS

Anonymous — Wed, 11 Apr 2018 19:54:00 GMT

Thanks for the information.

Adding a PC to the port seems to have triggered the RADIUS request, so the video conference unit is directly relational to the issue.

Adding the command:

configure netlogin ports 22 allow egress-traffic all_cast

Seems to have effected the port where the LEDs have stayed green, whereas before they would consistently switch between green and amber.... but the VC unit still isn't triggering the netlogin / RADIUS process.

Still experimenting at the moment so will post back if anything comes up.

RE: Netlogin MAC auth not triggering RADIUS

Erik_Auerswald — Mon, 16 Apr 2018 20:10:00 GMT

Can you trigger netlogin of the VC unit by pinging it? Allowing all_cast to egress the port should enable the ARP request to reach the VC unit, which can then answer. The answer should trigger netlogin.

Does the VC unit use DHCP, but the port/VLAN has spanning tree enabled without edge port configuration? It might not try DHCP often enough to trigger netlogin after STP puts the port into forwarding mode.

topic Netlogin MAC auth not triggering RADIUS in ExtremeSwitching (EXOS/Switch Engine)

Netlogin MAC auth not triggering RADIUS

RE: Netlogin MAC auth not triggering RADIUS

RE: Netlogin MAC auth not triggering RADIUS

RE: Netlogin MAC auth not triggering RADIUS

RE: Netlogin MAC auth not triggering RADIUS

RE: Netlogin MAC auth not triggering RADIUS