This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Fail open port / user authentication

Fail open port / user authentication

Anonymous
Not applicable

‎09-28-2018 01:03 PM

Apologies in advance if this is an easy one...

Basically the question is in EXOS, what would be the configuration to fail authentication open albeit MAC, PEAP, EAP-TLS etc if both RADIUS / NAC appliances become unavailable?

With NAC / RADIUS not available I would either need to fail open, or do something else that would still grant access to the network.

Appreciate anything already authenticated onto the network would stay connected. I believe there is a timer that can be configured to set the re-authentication time or turn off completely.

An option could possibly move to local switch authentication using MAC addresses if all those are previous stored / configured on the switch?

Possibly use something like the following:

configure netlogin authentication failure vlan Default ports 1-22
configure netlogin authentication service-unavailable vlan Default ports 1-22

Although some ports like phones might have multiple VLAN's, so not sure how that would work.

Possibly something else I haven't thought of or found?

Many thanks in advance

14 REPLIES 14

Chad5
Contributor

‎07-12-2021 07:05 PM

Hi Tomasz,

 

Yes, your comment is accurate. But I also noticed in thread that the protocol auth order needed to change to MAC first, then dot1x? That part didn’t make too much sense to me. 

 

Thanks, 

0 Kudos

Tomasz
Valued Contributor II

‎07-12-2021 02:37 PM

Hi Chad,

 

If I understood the thread well, isn’t these two bundled together what you may need?

  • conf netlogin port X authentication mode optional
  • default policy role applied to a port (to keep our port config handled within the Policy framework)

 

Hope that helps,

Tomasz

0 Kudos

Chad5
Contributor

‎07-07-2021 08:39 PM

Interesting discussion. Thank you all for this.

in ERS, there is a fail open config:

https://extremeportal.force.com/ExtrArticleDetail?an=000086929

I was trying to find the same on EXOS and stumbled on this thread.

on exos 30.4, I guess the commands were removed:

configure netlogin authentication failure ….
configure netlogin authentication service-unavailable ….

I can’t find them. So I guess this thread is the only method to get something similar to ERS Failopen.

My only question here is that the protocol-order was changed to MAC first… Wouldn’t that mean that MAC auth would be preferred over DOT1X? Wouldn’t we need to keep order as DOT1X then MAC so that if user has 802.1X, then it uses DOT1X first; If not, MAC auth would kick in and use default policy?

Thanks for any clarification on what I missed.

0 Kudos

Ryan_Yacobucci
Extreme Employee

‎10-08-2018 10:11 AM

Hey Martin,

I think you still have the port in authentication mode "required"

Authentication Mode : Required (Policy Enabled only)


What happens if you use Brad's command:

configure netlogin port authentication mode optional

Thanks
-Ryan
0 Kudos

Anonymous
Not applicable
In response to Ryan_Yacobucci

‎10-08-2018 10:11 AM

Ah, there lies my misconception.... thinking that optional mode related to 802.1x as well!

Set that the auth to optional, and now working as expected.

Really appreciate you help Ryan.

Thanks again

Martin
0 Kudos
li.common.scroll-to.top
GTM-P2G8KFN