Strange Netlogin behaviour

Luca_Messori — Tue, 30 Sep 2014 19:21:00 GMT

I have configured bot dot1x and mac auth on the same port with dynamic vlan.
dot1x for PC and notebook
mac for telephone and printers

What I have seen is that just after the ports became active the switch starts mac auth instead of wait for eapol start from the client:
09/30/2014 15:43:21.94 Slot-1: Network Login 802.1x user host/DA17190.ita.rsa-ins.com logged in MAC A4:5D:36:D1:54:1C port 3:15 VLAN(s) "PP_4P", authentication Radius
09/30/2014 15:43:21.68 Slot-1: Network Login MAC user A45D36D1541C logged in MAC A4:5D:36:D1:54:1C port 3:15 VLAN(s) "Ospite", authentication Radius
09/30/2014 15:43:21.42 Slot-1: Port 3:15 link UP at speed 100 Mbps and full-duplex

After some second, when it receive the eapol start it restart a new authentication process for the same mac address.

The results is that client is first moved in guest vlan (where it gets an ip address from dhcp server) and then in client vlan.

This is my netlogin conf:
configure netlogin vlan TEMP
enable netlogin dot1x mac
configure netlogin agingtime 120
configure netlogin dynamic-vlan enable
configure netlogin dynamic-vlan uplink-ports 1:49
configure netlogin mac authentication database-order local radius
enable netlogin ports 1:1-48, 2:1-7, 2:9-17, 2:19-48, 3:1-12, 3:14-48, 4:1-48, 5:1-44, 5:46-50 dot1x
enable netlogin ports 1:1-48, 2:1-7, 2:9-17, 2:19-48, 3:1-12, 3:14-48, 4:1-48, 5:1-44, 5:46-50 mac
configure netlogin ports 1:1 mode port-based-vlans
configure netlogin ports 1:1 no-restart
.....
configure netlogin add mac-list 00:00:aa:fa:29:85 48 encrypted "=421BFAB3<44"
...
configure netlogin add mac-list 00:90:1e:90:00:e1 48 encrypted "=4;12B>315I0"
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
configure netlogin dot1x timers server-timeout 10
configure netlogin dot1x timers reauth-period 0
configure netlogin dot1x timers supp-resp-timeout 10
enable netlogin authentication service-unavailable vlan ports 1:1-48, 2:1-48, 3:1-48, 4:1-48, 5:1-50
configure netlogin authentication service-unavailable vlan Ospite ports 1:1-2, 1:4-8, 1:10-14, 1:16-48, 2:1-7, 2:10-17, 2:19-48, 3:1-12, 3:14-48, 4:1-28, 4:30-31, 4:33-48, 5:1-50

In my opinion this is un uncorret behaviour because mac auth should happens only when the client has'nt or has not configured a 802.1x supplicant.

RE: Strange Netlogin behaviour

PARTHIBAN_CHINN — Tue, 30 Sep 2014 22:08:00 GMT

This looks to me a known issue What is the exos version . Did you check with a different exos

RE: Strange Netlogin behaviour

Luca_Messori — Wed, 01 Oct 2014 00:12:00 GMT

I have done test with firmware 15.1.3 and 15.3.4.6-patch5 but I have the same results.
I have seen SR number 4-4576621665.

I think that there are two problems:
- the switch is not honoring the 30 second timeout period before mac auth
- the client sends the dhcp request immediately (before it is moved to its vlan)

I would like to resolve the first one problem.
In SR number 4-4576621665 there is this annotation:
"Resolved via 01033072"
What is 01033072?

Regards

topic RE: Strange Netlogin behaviour in ExtremeSwitching (EXOS/Switch Engine)

Strange Netlogin behaviour

RE: Strange Netlogin behaviour

RE: Strange Netlogin behaviour