cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Netlogin MAC-based auth problems

Netlogin MAC-based auth problems

Ilya_Semenov
Contributor
Hello, everybody,

I've got a recommendation from Extreme's empoloyee (he is really expert!) to configure netlogin mac-based auth. (I need it to bring more data like Device Type and Operationg System from identity-management on Summits to Netsight. NAC is also involved).

He said:

"For MAC-auth your users does not need to enter anything at all ā€“ they just connecting to the network as usual and NAC automatically does the mac-auth (for visibility purpose only) . When you add ā€œswitchā€ into the NAC switch database , you can select ā€œno attribute to send backā€ , in this case MAC-auth happens but no policy will be applied to the port , so clients connected as usual but NAC knows everything about the client and provide this details in NMS screens/reports."

How can I configure that "MAC-auth for visibility purpose only"? I've tried to do so many times and every time switch just blocks a port when I attach any device...

Please, help! Does somebody understand how exactly should I do configure mac-based netlogin auth on summit taking into the consideration the recommendation above?

Many thanks in advance,

Ilya

16 REPLIES 16

Hello, Matthew,

thanks, here it is (below). In such configuration the device works fine. There isn't anything related to netlogin mac-based auth now (I removed it).

X430-48t.3 # show configuration
#
# Module devmgr configuration.
#
configure snmp sysContact "support@extremenetworks.com, +1 888 257 3000"
configure sys-recovery-level switch reset

#
# Module vlan configuration.
#
configure vlan default delete ports all
configure vr VR-Default delete ports 1-52
configure vr VR-Default add ports 1-52
configure vlan default delete ports 8,13,48,50
enable jumbo-frame ports all
create vlan "VLAN10"
configure vlan VLAN10 tag 10
create vlan "VLAN1024"
create vlan "VLAN1025"
create vlan "vlan3139"
configure vlan vlan3139 tag 3139
enable sharing 46 grouping 46,48 algorithm address-based L3 lacp
configure vlan Default add ports 1-7,9-12,14-47,49,51-52 untagged
configure vlan VLAN10 add ports 44,49 tagged
configure vlan vlan3139 add ports 49 tagged
configure vlan vlan3139 add ports 8,13 untagged
configure vlan Default ipaddress 192.168.13.5 255.255.254.0
configure vlan VLAN10 ipaddress 10.10.10.55 255.255.255.0

#
# Module fdb configuration.
#

#
# Module rtmgr configuration.
#
configure iproute add default 192.168.13.3

#
# Module mcmgr configuration.
#
configure forwarding ipmc lookup-key mac-vlan

#
# Module aaa configuration.
#
configure account admin encrypted "$5$uni7jv$Dr65.wIgsf7XteqWQtqJrhwYtDzB0lsiHNn

#
# Module acl configuration.
#

#
# Module cfgmgr configuration.
#
enable cli-config-logging

#
# Module dosprotect configuration.
#

#
# Module dot1ag configuration.
#

#
# Module eaps configuration.
#

#
# Module edp configuration.
#

#
# Module elrp configuration.
#

#
# Module ems configuration.
#
configure syslog add 192.168.13.246:514 vr VR-Mgmt local7
enable log target syslog 192.168.13.246:514 vr VR-Mgmt local7
configure log target syslog 192.168.13.246:514 vr VR-Mgmt local7 filter DefaultF
configure log target syslog 192.168.13.246:514 vr VR-Mgmt local7 match Any
configure log target syslog 192.168.13.246:514 vr VR-Mgmt local7 format timestam
configure syslog add 192.168.13.246:514 vr VR-Default local0
enable log target syslog 192.168.13.246:514 vr VR-Default local0
configure log target syslog 192.168.13.246:514 vr VR-Default local0 filter Defau
configure log target syslog 192.168.13.246:514 vr VR-Default local0 match Any
configure log target syslog 192.168.13.246:514 vr VR-Default local0 format times

#
# Module epm configuration.
#

#
# Module erps configuration.
#

#
# Module esrp configuration.
#

#
# Module etmon configuration.
#

#
# Module exsshd configuration.
#
enable ssh2

#
# Module hal configuration.
#

#
# Module idMgr configuration.
#
enable identity-management
configure identity-management add ports 1-48,50-52
configure identity-management kerberos snooping add server 192.168.13.20
configure identity-management kerberos snooping add server 192.168.13.51

#
# Module ipSecurity configuration.
#
enable ip-security dhcp-snooping vlan Default port 1-52 violation-action none

#
# Module lacp configuration.
#

#
# Module lldp configuration.
#

#
# Module mrp configuration.
#

#
# Module netLogin configuration.
#

#
# Module netTools configuration.
#
configure dns-client add name-server 192.168.13.20 vr VR-Default
configure bootprelay add 192.168.13.251 vr VR-Default
enable bootprelay ipv4 vlan Default
configure bootprelay vlan Default add 192.168.13.251

#
# Module poe configuration.
#

#
# Module snmpMaster configuration.
#
configure snmpv3 add user "user" engine-id 80:00:07:7c:03:00:04:96:98:0e:bc autha:23:da:23:d7:23:e8:3f:23:d8:21:23:c7:5c:23:95:39 privacy privacy-encrypted loca:c7:5c:23:95:39
configure snmpv3 add user "snmpuser" engine-id 80:00:07:7c:03:00:04:96:98:0e:bc 23??79:57:23??6d:24:23:7d:23:b1 privacy privacy-encrypted localized-key 75:2
configure snmpv3 add group "NAC" user "snmpuser" sec-model usm
configure snmpv3 add access "NAC" sec-model usm sec-level priv read-view "intern
configure snmpv3 add mib-view "internet" subtree 1.0/80 type included
configure snmpv3 add target-addr "informtarget" param "informparam" ipaddress 19
configure snmpv3 add target-params "informparam" user "user" mp-model snmpv3 sec
configure snmpv3 add notify "defaultinform" tag "defaultinform" type inform

#
# Module stp configuration.
#

#
# Module techSupport configuration.
#
enable tech-support collector

#
# Module telnetd configuration.
#

#
# Module thttpd configuration.
#
configure ssl certificate hash-algorithm sha512

#
# Module xmlc configuration.
#
create xml-notification target netsight_192.168.13.248 url https://192.168.13.24
configure xml-notification target netsight_192.168.13.248 user ssadmin encrypted
configure xml-notification target netsight_192.168.13.248 from 192.168.13.5
enable xml-notification netsight_192.168.13.248
configure xml-notification target netsight_192.168.13.248 add idMgr
X430-48t.4 #

Were you ever able to solve the netlogin issue? I have the same issue with netlogin on my switch using MAC authenticaiton to a radius server.  

<Info:nl.ClientAuthFailure> Authentication failed for Network Login MAC user XX:XX:XX:XX:XX:XX Mac XX:XX:XX:XX:XX:XX port 1:8
<Erro:nl.mac.MacListEmpty> Mac authentication was initiated, but mac-list for virtual router VR-Default is empty

GTM-P2G8KFN