cancel
Showing results for 
Search instead for 
Did you mean: 

Fail open port / user authentication

Fail open port / user authentication

Anonymous
Not applicable
Apologies in advance if this is an easy one...

Basically the question is in EXOS, what would be the configuration to fail authentication open albeit MAC, PEAP, EAP-TLS etc if both RADIUS / NAC appliances become unavailable?

With NAC / RADIUS not available I would either need to fail open, or do something else that would still grant access to the network.

Appreciate anything already authenticated onto the network would stay connected. I believe there is a timer that can be configured to set the re-authentication time or turn off completely.

An option could possibly move to local switch authentication using MAC addresses if all those are previous stored / configured on the switch?

Possibly use something like the following:

configure netlogin authentication failure vlan Default ports 1-22
configure netlogin authentication service-unavailable vlan Default ports 1-22

Although some ports like phones might have multiple VLAN's, so not sure how that would work.

Possibly something else I haven't thought of or found?

Many thanks in advance

14 REPLIES 14

Chad5
Contributor

Thanks @Tomasz … food well digested 🙂

I’ll check the new command in 31.2 at some point as it might have a good simpler option.

Thanks for the replies.

Jon11
New Contributor

Hate to resurrect a dead topic here, but I've got my netlogin configured for mac auth, no dot1x, and I'm struggling with authentication mode optional.

I have mac auth working to the RADIUS server, and authentication mode optional configured. However, when testing with the RADIUS server unavailable, I get a <Warn:AAA.RADIUS.noServerResp> log for exceeding the number of retries, and a <Noti:nl.ClientAuthFailure> log for the mac auth actually failing since RADIUS server was unavailable.

Could there be something else that I'm missing that actually makes the authentication optional? Am I not properly understanding how the optional authentication works?

Tomasz
Valued Contributor II

P.S. I saw the service-unavailable netlogin command in 31.2 User Guide but on my X440-G2 running 31.2 it doesn’t let the command thru currently...

Tomasz
Valued Contributor II

Hi Chad,

 

Personally I didn’t consider that as a strong advice but some particular deployment example. I might be low on caffeine though. 😉

My favourite approach: dot1x > mac.

If something is dot1x capable, it will run through it.

If something is not dot1x capable, it will run solely through EAC authorization rules.

If something is to be treated well (e.g. a list of sanctioned printers’ MAC addresses), it will.

If something is falling down to default catch-all, I’d deny it. Have a list of devices that should be entitled to fail over with MAC-auth just above catch-all rule in case of backend issues (or use Failsafe Policy mapping within EAC profile).

If the switch is not even able to get to the NAC gateway and we still see such risk although multiple redundancy measures we could’ve already taken, I’d consider auth mode optional and some default VLAN+ACL or default Policy set to access ports. But please remember to span the least privilege approach over there as well. Otherwise, if dot1x and mac auth fails due to EAC communication issue, various kind of devices might end up in the same VLAN and so on. I strongly recommend to consider what is really needed for such devices and users. DHCP/DNS/ARP, HTTPS? What about surveillance cameras failover to such default role? Perhaps port isolation feature on EXOS or a rule that prevents the same subnet as destination is a must in the end.


Just some food for thoughts.

 

Hope that helps,

Tomasz

GTM-P2G8KFN