This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forÂ
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- RE: bypass netlogin for some VLANs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
bypass netlogin for some VLANs
bypass netlogin for some VLANs
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:50 PM
Create Date: May 10 2012 7:17AM
A port of an Extreme is configured with netlogin and mac-based-vlans. There are a number of (tagged) VLANs defined on this port. Now I want to bypass the netlogin authentication for devices on a specific VLAN. Is this possible with XOS?
(from Hans-Werner_Paulsen)
A port of an Extreme is configured with netlogin and mac-based-vlans. There are a number of (tagged) VLANs defined on this port. Now I want to bypass the netlogin authentication for devices on a specific VLAN. Is this possible with XOS?
(from Hans-Werner_Paulsen)
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:50 PM
Create Date: May 15 2012 12:51AM
Unfortunately this will not work for us. The VLAN which should authenticate MAC addresses (vlanA) is untagged, and the various MAC addresses on vlanA should be put on different VLANs with the help of the RADIUS server (this part is working fine). But, vlanB (which should go thru) is tagged and therefore cannot be used to park netlogin ports. In addition in the future there will be more than one tagged VLAN, which should bypass netlogin.
The netlogin feature is activated with the help of ACLs. Isn't it possible to modify the ACLs to use netlogin only on a specified VLAN, or vice versa to bypass netlogin on specified VLAN(s)?
(from Hans-Werner_Paulsen)
Unfortunately this will not work for us. The VLAN which should authenticate MAC addresses (vlanA) is untagged, and the various MAC addresses on vlanA should be put on different VLANs with the help of the RADIUS server (this part is working fine). But, vlanB (which should go thru) is tagged and therefore cannot be used to park netlogin ports. In addition in the future there will be more than one tagged VLAN, which should bypass netlogin.
The netlogin feature is activated with the help of ACLs. Isn't it possible to modify the ACLs to use netlogin only on a specified VLAN, or vice versa to bypass netlogin on specified VLAN(s)?
(from Hans-Werner_Paulsen)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:50 PM
Create Date: May 14 2012 8:05AM
I don't think so. The RADIUS server will not receive any VLAN information. Therefore, creating a match condition to map the unknown MAC to a specific VLAN is going to be impossible.
However, you asked "... a way to bypass/disable netlogin at for one VLAN?"
This should work as a workaround for one VLAN:
In summary, the port will be parked in the forwarding VLANB. However, the EAPOL packet will still be forwarded to the Authentication Server for Dot1X and MAC auth.
This also solves the problem for WoL and PXE boot.
(from john_padilla)
I don't think so. The RADIUS server will not receive any VLAN information. Therefore, creating a match condition to map the unknown MAC to a specific VLAN is going to be impossible.
However, you asked "... a way to bypass/disable netlogin at for one VLAN?"
This should work as a workaround for one VLAN:
- disable netlogin dot1x mac unconfigure netlogin vlan delete vlan "temp" (where temp is the VLAN used to park netlogin ports) disable netlogin ports dot1x mac configure vlanB add ports untagged create vlan temp configure netlogin vlan temp enable netlogin ports dot1x mac enable netlogin dot1x mac Verify the ports are present in VLANB with:
show vlan vlanB
show fdb vlanB
In summary, the port will be parked in the forwarding VLANB. However, the EAPOL packet will still be forwarded to the Authentication Server for Dot1X and MAC auth.
This also solves the problem for WoL and PXE boot.
(from john_padilla)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:50 PM
Create Date: May 14 2012 1:52AM
Yes, I do not use 802.1X.
But, I want to define different policies for unknown MAC addresses coming from different VLANs. An unknown MAC address coming from VLAN A should be denied, and an unknown MAC address coming from VLAN B should be allowed. If there is a method to tell the RADIUS server (with the Access-Request packet) that this MAC address is from VLAN A or B, I can set up the RADIUS server accordingly. Or is there simply a way to bypass/disable netlogin at all for one VLAN?
(from Hans-Werner_Paulsen)
Yes, I do not use 802.1X.
But, I want to define different policies for unknown MAC addresses coming from different VLANs. An unknown MAC address coming from VLAN A should be denied, and an unknown MAC address coming from VLAN B should be allowed. If there is a method to tell the RADIUS server (with the Access-Request packet) that this MAC address is from VLAN A or B, I can set up the RADIUS server accordingly. Or is there simply a way to bypass/disable netlogin at all for one VLAN?
(from Hans-Werner_Paulsen)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 10:50 PM
Create Date: May 11 2012 10:46AM
I am guessing this device is not enabled for 802.1X and does not have a MAC address that is mapped to a RADIUS policy. Therefore, you have a couple options:
I guess there is a third option. This could be done with UPM scripting, but I don't recommend it. UPM for VLAN movement is slow and unreliable.
(from john_padilla)
I am guessing this device is not enabled for 802.1X and does not have a MAC address that is mapped to a RADIUS policy. Therefore, you have a couple options:
- Add a RADIUS policy for this MAC address. Use the authentication failure feature to move the port into an authentication failure VLAN.
- This VLAN should already exist on the switch. The default mac-list should exist in the netlogin configuration.
e.g. Configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48(The purpose of this is to send all unknown mac auth configured interfaces to the RADIUS server. In order for the move to happen, the default aaa radius database order needs to be changed from the default of radius, local to local, radius.
e.g. Configure netlogin mac authentication database-order local radius
I guess there is a third option. This could be done with UPM scripting, but I don't recommend it. UPM for VLAN movement is slow and unreliable.
(from john_padilla)
