Netlogin MAC-based auth problems
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-26-2017 04:16 PM
Hello, everybody,
I've got a recommendation from Extreme's empoloyee (he is really expert!) to configure netlogin mac-based auth. (I need it to bring more data like Device Type and Operationg System from identity-management on Summits to Netsight. NAC is also involved).
He said:
"For MAC-auth your users does not need to enter anything at all – they just connecting to the network as usual and NAC automatically does the mac-auth (for visibility purpose only) . When you add “switch” into the NAC switch database , you can select “no attribute to send back” , in this case MAC-auth happens but no policy will be applied to the port , so clients connected as usual but NAC knows everything about the client and provide this details in NMS screens/reports."
How can I configure that "MAC-auth for visibility purpose only"? I've tried to do so many times and every time switch just blocks a port when I attach any device...
Please, help! Does somebody understand how exactly should I do configure mac-based netlogin auth on summit taking into the consideration the recommendation above?
Many thanks in advance,
Ilya
I've got a recommendation from Extreme's empoloyee (he is really expert!) to configure netlogin mac-based auth. (I need it to bring more data like Device Type and Operationg System from identity-management on Summits to Netsight. NAC is also involved).
He said:
"For MAC-auth your users does not need to enter anything at all – they just connecting to the network as usual and NAC automatically does the mac-auth (for visibility purpose only) . When you add “switch” into the NAC switch database , you can select “no attribute to send back” , in this case MAC-auth happens but no policy will be applied to the port , so clients connected as usual but NAC knows everything about the client and provide this details in NMS screens/reports."
How can I configure that "MAC-auth for visibility purpose only"? I've tried to do so many times and every time switch just blocks a port when I attach any device...
Please, help! Does somebody understand how exactly should I do configure mac-based netlogin auth on summit taking into the consideration the recommendation above?
Many thanks in advance,
Ilya
16 REPLIES 16
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-27-2017 02:35 PM
Hi Ilya,
Local database can also be used for MAC authentication without Radius server. In the case of using local database of switch, you need following configurations:
configure netlogin mac authentication database-order local
create netlogin local-user "" ""
ex> create netlogin local-user "507B9DD58ECE" "507B9DD58ECE"
You have configured "NTLG" VLAN as netlogin VLAN and it means that NTLG VLAN will be used for unauthenticated clients. You need to assign a VLAN to be used for MAC authenticated clients via one of either two ways in below:
(Let say the MAC authenticated clients should be assigned into VLAN3139)
i. Pre-configure the VLAN on the port 17
configure vlan VLAN3139 add port 17
Port 17 will be assigned to VLAN3139 after MAC authentication.
ii. Use VLAN-VSA
configure netlogin local-user " vlan-vsa [tagged | untagged] VLAN3139
Since you configured port mode as "mac-based-vlan" (not port-based-vlan), I think that using VLAN-VSA would be proper way for the mode.
I hope this helps...
Local database can also be used for MAC authentication without Radius server. In the case of using local database of switch, you need following configurations:
configure netlogin mac authentication database-order local
create netlogin local-user "
ex> create netlogin local-user "507B9DD58ECE" "507B9DD58ECE"
You have configured "NTLG" VLAN as netlogin VLAN and it means that NTLG VLAN will be used for unauthenticated clients. You need to assign a VLAN to be used for MAC authenticated clients via one of either two ways in below:
(Let say the MAC authenticated clients should be assigned into VLAN3139)
i. Pre-configure the VLAN on the port 17
configure vlan VLAN3139 add port 17
Port 17 will be assigned to VLAN3139 after MAC authentication.
ii. Use VLAN-VSA
configure netlogin local-user "
Since you configured port mode as "mac-based-vlan" (not port-based-vlan), I think that using VLAN-VSA would be proper way for the mode.
I hope this helps...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-27-2017 02:35 PM
Hello, Karthik,
thanks for your reply. I haven't RADIUS configured yet. Is it really required? Could it be local authentication?
Could you please explain this in more details - "since you do not want any action taken by NAC you also need to add the port to intended VLAN (ISP mode)." - what do you mean?
Many thanks in advance,
Ilya
thanks for your reply. I haven't RADIUS configured yet. Is it really required? Could it be local authentication?
Could you please explain this in more details - "since you do not want any action taken by NAC you also need to add the port to intended VLAN (ISP mode)." - what do you mean?
Many thanks in advance,
Ilya
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-26-2017 06:46 PM
Maybe you need to set netlogin auth optional instead of required.
configure netlogin port 1:36 authentication mode optional
configure netlogin port 1:36 authentication mode optional
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-26-2017 06:46 PM
The final changes:
# Module netLogin configuration.
#
configure netlogin move-fail-action authenticate
configure netlogin vlan NTLG
enable netlogin mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 ports 17
enable netlogin ports 17 mac
configure netlogin ports 17 mode mac-based-vlans
configure netlogin ports 17 no-restart
configure netlogin ports 17 allow egress-traffic all_cast
* X430-48t.41 #
The message about MacListEmpty is gone, but it's stll:
05/27/2017 13:11:16.16 Authentication failed for Network Login MAC user F46D041BD09B Mac F4:6D:04:1B:D0:9B port 17
But it seems like the port isn't blocked now (I am out of the office and try remotely)
# Module netLogin configuration.
#
configure netlogin move-fail-action authenticate
configure netlogin vlan NTLG
enable netlogin mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 ports 17
enable netlogin ports 17 mac
configure netlogin ports 17 mode mac-based-vlans
configure netlogin ports 17 no-restart
configure netlogin ports 17 allow egress-traffic all_cast
* X430-48t.41 #
The message about MacListEmpty is gone, but it's stll:
05/27/2017 13:11:16.16 Authentication failed for Network Login MAC user F46D041BD09B Mac F4:6D:04:1B:D0:9B port 17
But it seems like the port isn't blocked now (I am out of the office and try remotely)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-26-2017 06:46 PM
I have some config changes now:
create vlan "NTLG"
# Module netLogin configuration.
#
configure netlogin move-fail-action authenticate
configure netlogin vlan NTLG
enable netlogin mac
enable netlogin ports 17 mac
configure netlogin ports 17 mode mac-based-vlans
configure netlogin ports 17 no-restart
configure netlogin ports 17 allow egress-traffic all_cast
After these changes I got to log:
05/27/2017 13:04:31.17 Authentication failed for Network Login MAC user F4:6D:04:1B:D0:9B Mac F4:6D:04:1B:D0:9B port 17
05/27/2017 13:04:31.17 Mac authentication was initiated, but mac-list for virtual router VR-Default is empty
Should I add all ports to NTLG vlan as tagged?
create vlan "NTLG"
# Module netLogin configuration.
#
configure netlogin move-fail-action authenticate
configure netlogin vlan NTLG
enable netlogin mac
enable netlogin ports 17 mac
configure netlogin ports 17 mode mac-based-vlans
configure netlogin ports 17 no-restart
configure netlogin ports 17 allow egress-traffic all_cast
After these changes I got to log:
05/27/2017 13:04:31.17 Authentication failed for Network Login MAC user F4:6D:04:1B:D0:9B Mac F4:6D:04:1B:D0:9B port 17
05/27/2017 13:04:31.17
Should I add all ports to NTLG vlan as tagged?
