This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- RE: Fail open port / user authentication
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Fail open port / user authentication
Fail open port / user authentication
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-28-2018 01:03 PM
Apologies in advance if this is an easy one...
Basically the question is in EXOS, what would be the configuration to fail authentication open albeit MAC, PEAP, EAP-TLS etc if both RADIUS / NAC appliances become unavailable?
With NAC / RADIUS not available I would either need to fail open, or do something else that would still grant access to the network.
Appreciate anything already authenticated onto the network would stay connected. I believe there is a timer that can be configured to set the re-authentication time or turn off completely.
An option could possibly move to local switch authentication using MAC addresses if all those are previous stored / configured on the switch?
Possibly use something like the following:
configure netlogin authentication failure vlan Default ports 1-22
configure netlogin authentication service-unavailable vlan Default ports 1-22
Although some ports like phones might have multiple VLAN's, so not sure how that would work.
Possibly something else I haven't thought of or found?
Many thanks in advance
Basically the question is in EXOS, what would be the configuration to fail authentication open albeit MAC, PEAP, EAP-TLS etc if both RADIUS / NAC appliances become unavailable?
With NAC / RADIUS not available I would either need to fail open, or do something else that would still grant access to the network.
Appreciate anything already authenticated onto the network would stay connected. I believe there is a timer that can be configured to set the re-authentication time or turn off completely.
An option could possibly move to local switch authentication using MAC addresses if all those are previous stored / configured on the switch?
Possibly use something like the following:
configure netlogin authentication failure vlan Default ports 1-22
configure netlogin authentication service-unavailable vlan Default ports 1-22
Although some ports like phones might have multiple VLAN's, so not sure how that would work.
Possibly something else I haven't thought of or found?
Many thanks in advance
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-13-2021 07:52 PM
Thanks
I’ll check the new command in 31.2 at some point as it might have a good simpler option.
Thanks for the replies.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-28-2022 03:39 PM
Hate to resurrect a dead topic here, but I've got my netlogin configured for mac auth, no dot1x, and I'm struggling with authentication mode optional.
I have mac auth working to the RADIUS server, and authentication mode optional configured. However, when testing with the RADIUS server unavailable, I get a <Warn:AAA.RADIUS.noServerResp> log for exceeding the number of retries, and a <Noti:nl.ClientAuthFailure> log for the mac auth actually failing since RADIUS server was unavailable.
Could there be something else that I'm missing that actually makes the authentication optional? Am I not properly understanding how the optional authentication works?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-13-2021 01:38 PM
P.S. I saw the service-unavailable netlogin command in 31.2 User Guide but on my X440-G2 running 31.2 it doesn’t let the command thru currently...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-12-2021 08:00 PM
Hi Chad,
Personally I didn’t consider that as a strong advice but some particular deployment example. I might be low on caffeine though. 😉
My favourite approach: dot1x > mac.
If something is dot1x capable, it will run through it.
If something is not dot1x capable, it will run solely through EAC authorization rules.
If something is to be treated well (e.g. a list of sanctioned printers’ MAC addresses), it will.
If something is falling down to default catch-all, I’d deny it. Have a list of devices that should be entitled to fail over with MAC-auth just above catch-all rule in case of backend issues (or use Failsafe Policy mapping within EAC profile).
If the switch is not even able to get to the NAC gateway and we still see such risk although multiple redundancy measures we could’ve already taken, I’d consider auth mode optional and some default VLAN+ACL or default Policy set to access ports. But please remember to span the least privilege approach over there as well. Otherwise, if dot1x and mac auth fails due to EAC communication issue, various kind of devices might end up in the same VLAN and so on. I strongly recommend to consider what is really needed for such devices and users. DHCP/DNS/ARP, HTTPS? What about surveillance cameras failover to such default role? Perhaps port isolation feature on EXOS or a rule that prevents the same subnet as destination is a must in the end.
Just some food for thoughts.
Hope that helps,
Tomasz
