Extreme Networks

Chacko · ‎08-10-2017

Hi,

I'm a little bit confused:
We are using netlogin for a year and it's working like you would expect it:
A unknown MAC address shows up on the switch, is getting blocked and reported in EMS.

But now, I have a unwanted MAC address, which is authenticated locally, but is reported as rejected in EMS - but the switch authenticates the user and assign to the granted VLAN.

Here is the netlogin config:

#
# Module netLogin configuration.
#
configure netlogin vlan AUTH
enable netlogin mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
configure netlogin mac timers reauth-period 7200
enable netlogin ports 1:10-48,2:10-2:48 mac
configure netlogin ports 1:10-48,2:10-2:48 mode mac-based-vlans
configure netlogin ports 1:10-48,2:10-2:48 no-restart
enable netlogin authentication service-unavailable vlan ports 1:10-48,2:10-2:48
configure netlogin authentication service-unavailable vlan office ports 1:10-48,2:10-2:48

Radius is working, the switch is a X450e-48p (stacked) with EXOS 15.3.2.11

I'm happy for feedback

Best Regards
Chacko

Karthik_Mohando · ‎08-15-2017

Hi Chacko,

If the MAC is authenticated by EMC then we will see a different log message but by looking at the log message which you have shared the authentication has been processed locally by the switch

Network Login MAC user 104FA8XXXXXX logged in MAC 10:4F:A8:XX:XX:XX port 2:20 VLAN(s) "office", authentication Locally

I wanted to check if the local user database has this mac address or not and that can be checked using the command "show netlogin local-users" in the switch.

Chacko · ‎08-15-2017

Hi,

okay, I can follow you:
Here is the output;
Slot-1 sw # sh netlogin local-users
Netlogin Local User Name Extended-VLAN VSA Security Profile
------------------------ ----------------------------- ----------------------
Slot-1 sw #So the local database is empty.

BR
Chacko

Karthik_Mohando · ‎08-15-2017

Chacko,

Is it possible to post the screenshot of the rejection message in the EMS?

Can you check if this MAC address is not present as local user in the switch itself?
The command is "show netlogin local-users"

In case if you have a radius server configured can you pose the "show config aaa" and does the radius request passed before the switch decided to do a local authentication? you can see this from the "show log" in case if the radius requests are failing

Chacko · ‎08-15-2017

Hi,

sorry, I misspelled it - I meant EMC (management center):

First line is the configuration for our NAC appliances, so that policy is underneath the "allow if MAC and end-system group xxx"-policies.
Second line is the output in access control -> rejected end systems.

Radius is properly configured, the priority is default (radius, local), the local MAC users are empty.

There are no other log-entries related to authentication as soon as the ports comes up.
All the other netlogin devices are working fine on that switch and I can say to 100%, that the MAC address is not known in our Access Control database (first I built a script for checking it, and second, the right policy is chosen, so the MAC cannot be inside our end-system groups.

BR
Chacko

Karthik_Mohando · ‎08-15-2017

Hi Chacko,

Can you post the "show netlogin port and "show log" which has the login success message?

Extreme Networks

Netlogin unwanted MAC is authenticated locally

Netlogin unwanted MAC is authenticated locally