This is the config I use in my lab. see ports 1-5 => authentication is optional.
If the radius server is not responding or sends reject then port config is used.
If you want to not allow access then you need to send accept with specific policy profile
š
Image : ExtremeXOS version 21.1.1.4 21.1.1.4-patch1-5 by release-manager on Thu Jun 16 14:19:33 EDT 2016
BootROM : 1.0.2.1
Diagnostics : 5.4
Core-Lab-Network.5 # sh config policy#
# Module policy configuration.
#
enable policy
configure netlogin port 1 authentication mode optional
configure netlogin port 2 authentication mode optional
configure netlogin port 3 authentication mode optional
configure netlogin port 4 authentication mode optional
configure netlogin port 5 authentication mode optional
configure policy profile 1 name "DMZ" pvid-status "enable" pvid 3530
configure policy profile 2 name "MailServer" pvid-status "enable" pvid 3530 cos-status "enable" cos 1
configure policy profile 3 name "WebServer" pvid-status "enable" pvid 3530
configure policy profile 4 name "AD" pvid-status "enable" pvid 3530 cos-status "enable" cos 3
configure policy profile 5 name "Deny Access" pvid-status "enable" pvid 3530
configure policy profile 7 name "VDI" pvid-status "enable" pvid 3530 egress-vlans 3530
configure policy profile 8 name "DCMDemokit" pvid-status "enable" pvid 3540 egress-vlans 3540
configure policy rule 1 udpsourceportIP 67 mask 16 drop
configure policy rule 1 tcpsourceportIP 3389 mask 16 cos 4
configure policy rule 1 ipproto 1 mask 8 drop
configure policy rule 2 udpsourceportIP 67 mask 16 drop
configure policy rule 2 tcpsourceportIP 80 mask 16 drop
configure policy rule 2 tcpsourceportIP 3389 mask 16 cos 4
configure policy rule 3 udpsourceportIP 67 mask 16 drop
configure policy rule 3 tcpsourceportIP 3389 mask 16 cos 4
configure policy rule 5 ipproto 1 mask 8 drop
configure policy rule 5 ipproto 6 mask 8 drop
configure policy rule 5 ipproto 17 mask 8 drop
Core-Lab-Network.5 # sh config netlogin
#
# Module netLogin configuration.
#
enable netlogin dot1x mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted "ckr'ptplsa"
enable netlogin ports 1-6 mac
configure netlogin mac ports 1 timers reauthentication on
configure netlogin mac ports 2 timers reauthentication on
configure netlogin mac ports 3 timers reauthentication on
configure netlogin mac ports 4 timers reauthentication on
configure netlogin mac ports 5 timers reauthentication on
configure netlogin mac ports 6 timers reauthentication on
Core-Lab-Network.6 # sh config aaa
#
# Module aaa configuration.
#
configure radius netlogin 1 server 192.168.10.31 1812 client-ip 192.168.10.1 vr VR-Default
configure radius 1 shared-secret encrypted "#$KWL/jjCjiUsl/KlkJtR1Ag6ENmJDzLlN5CccJ4zm"
enable radius
disable radius mgmt-access
enable radius netlogin
configure radius timeout 15
Regards
ZdenÄk Pala