Netlogin Assign VLAN not working

Shannon_Rowe1 — Fri, 20 Mar 2020 05:46:30 GMT

Hi,

We want netlogin to work a follows:

authenticated by dot1x then keep port native vlan
if no dot1x, authenticated by RADIUS MAC auth then keep port native vlan
if no dot1x or mac auth, RADIUS will still authenticate the port, but place it in a specific VLAN

dot1x and radius mac auth both work independently, however, the vlan is not set when the radius engine sends the attribute (Extreme-Netlogin-Extended-VLAN = U<vlan name>)

I see in the logs (see excerpt below) that the switch is correctly receiving the vlan (TCC_Main) and assigning it, and I can see this on the port - it quickly switches to the new VLAN, before reverting to the port native VLAN, but then the switch seems to send a radius accouting stop which kills the process.

03/20/2020 11:39:23.09 <Info:AAA.RADIUS.RecvRspns> Received an Accounting Stop Response (packet length 20, destination UDP port 32769, id 162) from accounting server #primary netlogin for 04-0E-3C-D5-AB-5C(userName '040E3CD5AB5C') on port 2.
03/20/2020 11:39:23.09 <Info:AAA.RADIUS.sendSuccess> Accounting Stop Request(packet length 133, source UDP port 32769, id 162) sent to server #primary netlogin for user 04-0E-3C-D5-AB-5C(userName '040E3CD5AB5C') for the macauthentication agent on port 2
03/20/2020 11:39:23.08 <Info:AAA.RADIUS.ApiReq> Accounting stop for 04-0E-3C-D5-AB-5C(username '040E3CD5AB5C') on port 2.
03/20/2020 11:39:23.08 <Info:AAA.RADIUS.RecvRspns> Received an Accounting Start Response (packet length 20, destination UDP port 32769, id 161) from accounting server #primary netlogin for 04-0E-3C-D5-AB-5C(userName '040E3CD5AB5C') on port 2.
03/20/2020 11:39:23.07 <Info:AAA.RADIUS.sendSuccess> Accounting Start Request(packet length 121, source UDP port 32769, id 161) sent to server #primary netlogin for user 04-0E-3C-D5-AB-5C(userName '040E3CD5AB5C') for the macauthentication agent on port 2
03/20/2020 11:39:23.06 <Info:AAA.RADIUS.ApiReq> Accounting start for 04-0E-3C-D5-AB-5C(username '040E3CD5AB5C') on port 2.
03/20/2020 11:39:23.04 <Info:nl.ClientAuthenticated> Network Login MAC user 040E3CD5AB5C logged in MAC 04:0E:3C:D5:AB:5C port 2 VLAN(s) "TCC_Main", authentication Radius
03/20/2020 11:39:22.98 <Info:AAA.RADIUS.RecvRspns> Received an access accept (packet length 51, destination UDP port 32769, id 160) from authentication server #primary netlogin for 04-0E-3C-D5-AB-5C(userName '040E3CD5AB5C') on port 2.
03/20/2020 11:39:22.97 <Info:AAA.RADIUS.sendSuccess> Access Request(packet length 136, source UDP port 32769, id 160) sent to server #primary netlogin for user 04-0E-3C-D5-AB-5C(userName '040E3CD5AB5C') for the macauthentication agent on port 2

Netlogin config:

enable netlogin dot1x mac
configure netlogin mac authentication database-order radius
configure netlogin authentication protocol-order dot1x mac web-based
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
enable netlogin ports 2 dot1x
enable netlogin ports 2 mac
configure netlogin ports 2 mode port-based-vlans
configure netlogin ports 2 no-restart
configure netlogin ports 2 allow egress-traffic all_cast

How do I need to configure the switch for it to work as intended?

Thanks,

Shannon

topic Netlogin Assign VLAN not working in ExtremeSwitching (EXOS/Switch Engine)

Netlogin Assign VLAN not working