topic RE: Multisession on single port problem in ExtremeSwitching (EXOS/Switch Engine)

Multisession on single port problem

MarekorMark — Wed, 15 Mar 2017 18:38:00 GMT

Hi

i have problem to assing IP to MAC based authentication (printer) on a x440 single port.
situation looks like below:

computer---
computer--- desktop switch ----- x440 switch single port
printer-------

all dot1x sesions (users) are accepted and works fine but MAC session is not.

Port : 43
Authentication : 802.1x, mac-based
Port State : Enabled
Authentication Mode : Required (Policy Enabled only)
Max Supported Users : 256 (Policy Enabled only)
Allowed Users : 128 (Policy Enabled only)
Current Users : 3 (Policy Enabled only)
------------------------------------------------
802.1x Port Configuration
------------------------------------------------
Quiet Period : 300
Supplicant Response Timeout : 120
Re-authentication : On
Re-authentication period : 0
Max Re-authentications : 3
RADIUS server timeout : 120
------------------------------------------------
MAC Mode Port Configuration
------------------------------------------------
Re-authentication period : 7200
Re-authentication : On
Authentication Delay : 120 seconds
------------------------------------------------
Netlogin Clients
------------------------------------------------

MAC IP address Authenticated Type ReAuth-Timer User
00:0f:fe:xx:xx:xx 0.0.0.0 Yes, Radius 802.1x 0 user
00:23:7d:xx:xx:xx 0.0.0.0 Yes, Radius MAC 4385 00-23-7D-XX-XX-XX
94??80:xx:xx:xx 0.0.0.0 Yes, Radius 802.1x 0 user
-----------------------------------------------
(B) - Client entry Blackholed in FDB

On NAC manager i see that user (dot1x) sesions are resolving ip addresses using radius server which is visible in request (in table), but mac sessions are not.

when i switch printer direct to x440 port, all works fine.

Please help

Regards Mark

RE: Multisession on single port problem

MarekorMark — Thu, 16 Mar 2017 00:56:00 GMT

anybody ?

RE: Multisession on single port problem

Patrick_Koppen — Thu, 16 Mar 2017 03:24:00 GMT

Maybe you could post some more information...
Software version, show config netlogin, show config policy and show config aaa

Does it work if you only attach the printer behind the switch?
It could be a maximum user limit on the port?
Does the mac shows up in the fdb?
Did you enable logging?
What happend if you connect the printer (with logging enabled)?

RE: Multisession on single port problem

MarekorMark — Fri, 17 Mar 2017 12:49:00 GMT

so  this is what i've got:

show switch
SysName: LOL
SysLocation: LOL
SysContact: Marek Konopinski
System MAC: 00:04:96:XX:XX:XX
System Type: X440G2-48t-10G4

Current State: OPERATIONAL
Image Selected: primary
Image Booted: primary
Primary ver: 21.1.1.4
patch1-3
Secondary ver: 21.1.1.4

Config Selected: primary.cfg
Config Booted: Factory Default

primary.cfg Created by ExtremeXOS version 21.1.1.4
1225234 bytes saved on Thu Mar 16 09:39:51 2017

show version
Switch : 800617-00-09 1634N-40777 Rev 9.0 BootROM: 1.0.1.8 IMG: 21.1.1.4
PSU-1 : Internal Power Supply
PSU-2 :

Image : ExtremeXOS version 21.1.1.4 21.1.1.4-patch1-3 by release-manager
on Wed May 4 16:47:32 EDT 2016
BootROM : 1.0.1.8
Diagnostics : 5.4

NETLOGIN conf

enable netlogin dot1x mac
configure netlogin mac authentication database-order radius
configure netlogin authentication protocol-order dot1x mac web-based
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
enable netlogin ports 1-46 dot1x
enable netlogin ports 1-46 mac
configure netlogin dot1x ports 1-46 timers quiet-period 5

configure netlogin dot1x ports 47 timers reauth-period 30 reauth-max 4 - uplink (interswitch)
configure netlogin dot1x ports 48 timers reauth-period 30 reauth-max 4 - uplink (interswitch)
enable netlogin reauthenticate-on-refresh
configure netlogin session-refresh 30
configure netlogin allowed-refresh-failures 5
configure netlogin mac ports 1 timers reauthentication on

configure netlogin idle-timeout dot1x 0
configure netlogin idle-timeout web-based 0
configure netlogin idle-timeout mac 0
configure netlogin port 47 authentication mode optional
configure netlogin port 48 authentication mode optional

OTHER conf

enable radius
enable radius mgmt-access
enable radius netlogin
enable radius-accounting
enable radius-accounting mgmt-access
enable radius-accounting netlogin
enable log target syslog "IP":514 vr VR-Mgmt local4
enable log target syslog "IP":514 vr VR-Default local4
enable ssh2
enable netlogin dot1x mac
enable netlogin ports 1-46 dot1x
enable netlogin ports 1-46 mac
enable netlogin reauthenticate-on-refresh
enable stpd s0

Also i can not enable one option:

configure netlogin port (port number/range) mode mac-based-vlans

becouse after port (port number/range) there is no "mode" option

regards
Marek

RE: Multisession on single port problem

Ram3 — Fri, 17 Mar 2017 12:49:00 GMT

Please check this article for your reference:
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Mac-based-Netlogin-with-R...

RE: Multisession on single port problem

MarekorMark — Fri, 17 Mar 2017 12:49:00 GMT

it aint that... i read it already but my problem is different

RE: Multisession on single port problem

Patrick_Koppen — Sat, 18 Mar 2017 04:15:00 GMT

Hello Marek,

you have a G2 with software >=21 so you can choose between to different
versions of netlogin. The old one from EXOS or the even older one from EOS
which is implemented in version 16 and 21 on G2 hardware.

The EXOS can do dot1x and mac auth with multiple host one the same port.
There's single vlan and a multi vlan model. It's configured like this:

!aaa
configure radius primary server 10.0.0.1 client-ip 10.1.1.2 vr "VR-Default" shared-secret geheim
enable radius netlogin

!create a dummy vlan and attach it do the netlogin process
create vlan ZNETLOGIN_DUMMY
configure netlogin vlan "ZNETLOGIN_DUMMY"

!enable netlogin globally
enable netlogin mac dot1x

!enable netlogin per port
enable netlogin port 5 mac dot1x

!do mac-auth for all mac-addresses
configure netlogin add mac-list default

!test it and look for sessions:
show netlogin [port 5]And the new (EOS) way....

!switch to policy mode (this make the world great again!)
enable policy

!mode optional on all ports
configure netlogin ports all authentication mode optional

!enable netlogin globally and per port
enable netlogin mac dot1x
enable netlogin por 5 mac dot1x

!do mac-auth for all mac-addresses
configure netlogin add mac-list default

!test it and look for sessions:
show netlogin sessionsclassic netlogin vs. policy mode:

In policy mode you can authenticate and authorize each mac on a port
individually. Mac-authentication and dot1x run simultaneously and
the better method wins:

Authentication Protocol Order: 802.1x, web-based, mac-based (default)

So one protocol is sufficient to get an valid netlogin session.

For each port EOS has four different configuration how packets are
handled:

- Forced Authorized: netlogin disabled, packets always forwarded
- Forced UnAuthorized: netlogin disabled, packets always dropped
- Authentication Required: netlogin enable, unauthenticated packets
dropped
- Authentication Optional (with optional Policy/Filterlist):
netlogin enabled, unauthenticated packets forwarded

EXOS implements only Required and Optional. You can disable netlogin
per port to get the 'forced' modes. See the policy course for
more detailed information...

RE: Multisession on single port problem

Patrick_Koppen — Sat, 18 Mar 2017 04:36:00 GMT

Hello Marek,

now your problem. It seems you used commands from both concepts. But your configuration
works. You see the session.

The missing ip in EAC is something totally different. After a successfull authentication
the EAC waits 10 second to start the resolving process. If it fails it waits 60 seconds, tries
again, waits 60 seconds and tries again. So after 2:10 it stopps the process and you
get 'ip resulution failed'.

There are about 5 ways to fix this:

update to EXOS 22.2 and EMC/EAC 7.1 and enable nodealias
forward dhcp packet from every router in every vlan to one or two EACE
configure an ip address in every vlan in the switch
tell EAC the default gateway for the vlan/switch combination
...

1 works always, 2 only with dhcp clients, 3 should work, 4 works only with one vlan
per switch, ....

In your case turn off the printer, plug it into the mini switch, and turn it on again. It
should work. If not enable endsystem diagnostics in the EACE.

See Extreme Access Control course for more information...