topic RE: Fail open port / user authentication in ExtremeSwitching (EXOS/Switch Engine)

Fail open port / user authentication

Anonymous — Fri, 28 Sep 2018 20:03:00 GMT

Apologies in advance if this is an easy one...

Basically the question is in EXOS, what would be the configuration to fail authentication open albeit MAC, PEAP, EAP-TLS etc if both RADIUS / NAC appliances become unavailable?

With NAC / RADIUS not available I would either need to fail open, or do something else that would still grant access to the network.

Appreciate anything already authenticated onto the network would stay connected. I believe there is a timer that can be configured to set the re-authentication time or turn off completely.

An option could possibly move to local switch authentication using MAC addresses if all those are previous stored / configured on the switch?

Possibly use something like the following:

configure netlogin authentication failure vlan Default ports 1-22
configure netlogin authentication service-unavailable vlan Default ports 1-22

Although some ports like phones might have multiple VLAN's, so not sure how that would work.

Possibly something else I haven't thought of or found?

Many thanks in advance

RE: Fail open port / user authentication

BradP — Fri, 28 Sep 2018 20:13:00 GMT

Hi Martin,

I'm not sure if this is the question that you're asking--but what if you set the authentication to optional? That way if NAC/RADIUS are unavailable, users can still access the network. Is that an option?

configure netlogin port authentication mode optional

Thanks
Brad

RE: Fail open port / user authentication

Anonymous — Fri, 28 Sep 2018 20:55:00 GMT

Hi Brad, thanks for posting back.

The reason I haven't used that command is because I believed it would allow devices onto the network in normal operation even if they didn't authenticate. The only time I've really used it is when using NAC in monitoring mode i.e. MAC auth optional.

So I'm thinking yes it would do the trick, but at the same time bypass the port authentication security in the process under normal operation - would that be right?

The following GTAC article says the following:

https://gtacknowledge.extremenetworks.com/articles/Q_A/If-port-has-been-configured-for-authOptional-...

With authentication optional mode, the traffic from the client will be allowed even when it is not authenticated. i.e. authentication is not mandatory. If the client failed to authenticate due to some reason (either server unreachable or wrong password or some other reason), then switch will still add the MAC in fdb table and stop initiating the re-auth request to the radius server. The next authentication will be triggered only when fdb ages out or “clear fdb” is executed. If the client gets successfully authenticated with this mode, then it will continue to send the re-auth request after every policy session time-out. But since this customer scenario deals about failed client, session time-out does not apply. After aging time expires the failed entries will be deleted from netlogin however the FDB do not get cleared. Many thanks,

Martin

RE: Fail open port / user authentication

Ryan_Yacobucci — Sun, 30 Sep 2018 21:35:00 GMT

Hey Martin,

You are correct if the environment that you're running in is 802.1x only. 802.1x relies on a supplicant on the end system in order to complete authentication. If the supplicant doesn't exist the end system could connect to the switch port and gain access without performing any type of authentication.

However, MAC authentication doesn't require any supplicant or configuration from the end system itself. As long as the end system sources a packet, MAC authentication WILL perform MAC authentication on that end system as long as the AAA infrastructure is operating normally. With X and MAC enabled there will be some level of authentication for every device unless AAA is not functional.

We have customers that have MAC authentication provide a "Quarantine" role that restricts network access until 802.1x is completed. In this environment the client will connect, initially obtain a "Quarantine" role, and once 802.1x completes it can elevate the policy to one that provides the desired level of access.

In this situation if a guest plugs in to the same port without a supplicant they will sit in "Quarantine" as MAC authentication will still complete.

If AAA functionality is compromised the device will default to the static configuration on the port. You can set a default policy on the port as well that will be used if authentication fails.

Thanks
-Ryan

RE: Fail open port / user authentication

Anonymous — Mon, 01 Oct 2018 15:54:00 GMT

Hi Ryan,

Thanks for taking the time to respond, very helpful.

So I'll go away and play with this. Basically I'll need to enable MAC auth as well as 802.1x on all my ports, and define a default policy based on what I wont to do if AAA functionality fails.

Once done, I'll post back my netlogin configuration for reference.

Cheers.

RE: Fail open port / user authentication

Anonymous — Mon, 08 Oct 2018 15:56:00 GMT

Hi Ryan,

Just working on this now. So have set the authentication order to MAC, 802.1x and Web. Additionally configured a default role that contains the port to a specific VLAN - Guest VLAN in this case. Only currently testing this on one port, 1:4.

Have disabled the NAC and testing if the end-system can still connect.

Looking at the logs the device first tries MAC auth then 802.1x but fails both, and then cant connect to the network.

Here is the log:

10/08/2018 10:30:35.07 Slot-1: Authentication failed for Network Login 802.1x user host/CAN3079.domain.org.uk Mac B8:6B:23:82:06:85 port 1:4

10/08/2018 10:30:35.06 Slot-1: Authentication failed for Network Login MAC user B86B23820685 Mac B8:6B:23:82:06:85 port 1:4

The configuration for Netlogin and Policy is shown below:

enable netlogin dot1x mac
configure netlogin authentication protocol-order mac dot1x web-based
enable netlogin ports 1:4 dot1x
enable netlogin ports 1:1-48,2:1-48,3:1-48 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted "#$blVDSCrXyf9R/WdJIgkGS7+UVGf8Fg=="

configure policy profile 5 name "Guest Access" pvid-status "enable" pvid 4095 cos-status "enable" cos

configure policy rule admin-profile port 1:4 mask 16 port-string 1:4 admin-pid 5

This is the output from show netlogin:

Floor_18-EDGE-STK-02.1 # show netlogin port 1:4
Port : 1:4
Authentication : 802.1x, mac-based
Port State : Enabled
Authentication Mode : Required (Policy Enabled only)
Max Supported Users : 1024 (Policy Enabled only)
Allowed Users : 128 (Policy Enabled only)
Current Users : 0 (Policy Enabled only)
------------------------------------------------
802.1x Port Configuration
------------------------------------------------
Quiet Period : 60
Supplicant Response Timeout : 30
Re-authentication : On
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 30
------------------------------------------------
MAC Mode Port Configuration
------------------------------------------------
Re-authentication period : 3600
Re-authentication : Off
Authentication Delay : 0 seconds (Default)
------------------------------------------------
Netlogin Clients
------------------------------------------------

MAC IP address Authenticated Type ReAuth-Timer User
b8:6b:23:82:06:85 0.0.0.0 No 802.1x 0
-----------------------------------------------
(B) - Client entry Blackholed in FDB

So in this case, even though there is a default policy the client will not connect. What is odd is the type says 802.1x. So I decided to disable the supplicant on the client, clear the netlogin season for port 1:4 and reconnect.

When the device connects the logs now just show is trying MAC auth, no entry for 802.1x:

10/08/2018 10:48:39.15 Slot-1: Authentication failed for Network Login MAC user B86B23820685 Mac B8:6B:23:82:06:85 port 1:4
10/08/2018 10:48:39.15 Slot-1: Attempted the configured number of retries (3) to each of the 1 authentication servers without a server response for B8-6B-23-82-06-85(username 'B86B23820685') on port 1:4.

When you look as the session information it still says the type is 802.1x, either way I can't get the port to fallback to the default role:

------------------------------------------------
Netlogin Clients
------------------------------------------------

MAC IP address Authenticated Type ReAuth-Timer User
b8:6b:23:82:06:85 0.0.0.0 No 802.1x 0
-----------------------------------------------

Just wondering if you can see anything wrong, maybe share the configuration in the example you have provided.

Many thanks in advance

RE: Fail open port / user authentication

Ryan_Yacobucci — Mon, 08 Oct 2018 17:11:00 GMT

Hey Martin,

I think you still have the port in authentication mode "required"

Authentication Mode : Required (Policy Enabled only)

What happens if you use Brad's command:

configure netlogin port authentication mode optional

Thanks
-Ryan

RE: Fail open port / user authentication

Anonymous — Mon, 08 Oct 2018 17:11:00 GMT

Ah, there lies my misconception.... thinking that optional mode related to 802.1x as well!

Set that the auth to optional, and now working as expected.

Really appreciate you help Ryan.

Thanks again

Martin

RE: Fail open port / user authentication

Chad5 — Thu, 08 Jul 2021 03:39:00 GMT

Interesting discussion. Thank you all for this.

in ERS, there is a fail open config:

https://extremeportal.force.com/ExtrArticleDetail?an=000086929

I was trying to find the same on EXOS and stumbled on this thread.

on exos 30.4, I guess the commands were removed:

configure netlogin authentication failure ….
configure netlogin authentication service-unavailable ….

I can’t find them. So I guess this thread is the only method to get something similar to ERS Failopen.

My only question here is that the protocol-order was changed to MAC first… Wouldn’t that mean that MAC auth would be preferred over DOT1X? Wouldn’t we need to keep order as DOT1X then MAC so that if user has 802.1X, then it uses DOT1X first; If not, MAC auth would kick in and use default policy?

Thanks for any clarification on what I missed.

RE: Fail open port / user authentication

Tomasz — Mon, 12 Jul 2021 21:37:00 GMT

Hi Chad,

If I understood the thread well, isn’t these two bundled together what you may need?

conf netlogin port X authentication mode optional
default policy role applied to a port (to keep our port config handled within the Policy framework)

Hope that helps,

Tomasz

RE: Fail open port / user authentication

Chad5 — Tue, 13 Jul 2021 02:05:00 GMT

Hi Tomasz,

Yes, your comment is accurate. But I also noticed in thread that the protocol auth order needed to change to MAC first, then dot1x? That part didn’t make too much sense to me.

Thanks,

RE: Fail open port / user authentication

Tomasz — Tue, 13 Jul 2021 03:00:00 GMT

Hi Chad,

Personally I didn’t consider that as a strong advice but some particular deployment example. I might be low on caffeine though. 😉

My favourite approach: dot1x > mac.

If something is dot1x capable, it will run through it.

If something is not dot1x capable, it will run solely through EAC authorization rules.

If something is to be treated well (e.g. a list of sanctioned printers’ MAC addresses), it will.

If something is falling down to default catch-all, I’d deny it. Have a list of devices that should be entitled to fail over with MAC-auth just above catch-all rule in case of backend issues (or use Failsafe Policy mapping within EAC profile).

If the switch is not even able to get to the NAC gateway and we still see such risk although multiple redundancy measures we could’ve already taken, I’d consider auth mode optional and some default VLAN+ACL or default Policy set to access ports. But please remember to span the least privilege approach over there as well. Otherwise, if dot1x and mac auth fails due to EAC communication issue, various kind of devices might end up in the same VLAN and so on. I strongly recommend to consider what is really needed for such devices and users. DHCP/DNS/ARP, HTTPS? What about surveillance cameras failover to such default role? Perhaps port isolation feature on EXOS or a rule that prevents the same subnet as destination is a must in the end.

Just some food for thoughts.

Hope that helps,

Tomasz

RE: Fail open port / user authentication

Tomasz — Tue, 13 Jul 2021 20:38:00 GMT

P.S. I saw the service-unavailable netlogin command in 31.2 User Guide but on my X440-G2 running 31.2 it doesn’t let the command thru currently...

RE: Fail open port / user authentication

Chad5 — Wed, 14 Jul 2021 02:52:00 GMT

Thanks @Tomasz … food well digested 🙂

I’ll check the new command in 31.2 at some point as it might have a good simpler option.

Thanks for the replies.

RE: Fail open port / user authentication

Jon11 — Mon, 28 Mar 2022 22:39:00 GMT

Hate to resurrect a dead topic here, but I've got my netlogin configured for mac auth, no dot1x, and I'm struggling with authentication mode optional.

I have mac auth working to the RADIUS server, and authentication mode optional configured. However, when testing with the RADIUS server unavailable, I get a <Warn:AAA.RADIUS.noServerResp> log for exceeding the number of retries, and a <Noti:nl.ClientAuthFailure> log for the mac auth actually failing since RADIUS server was unavailable.

Could there be something else that I'm missing that actually makes the authentication optional? Am I not properly understanding how the optional authentication works?