This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- Fail open port / user authentication
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Fail open port / user authentication
Fail open port / user authentication
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-28-2018 01:03 PM
Apologies in advance if this is an easy one...
Basically the question is in EXOS, what would be the configuration to fail authentication open albeit MAC, PEAP, EAP-TLS etc if both RADIUS / NAC appliances become unavailable?
With NAC / RADIUS not available I would either need to fail open, or do something else that would still grant access to the network.
Appreciate anything already authenticated onto the network would stay connected. I believe there is a timer that can be configured to set the re-authentication time or turn off completely.
An option could possibly move to local switch authentication using MAC addresses if all those are previous stored / configured on the switch?
Possibly use something like the following:
configure netlogin authentication failure vlan Default ports 1-22
configure netlogin authentication service-unavailable vlan Default ports 1-22
Although some ports like phones might have multiple VLAN's, so not sure how that would work.
Possibly something else I haven't thought of or found?
Many thanks in advance
Basically the question is in EXOS, what would be the configuration to fail authentication open albeit MAC, PEAP, EAP-TLS etc if both RADIUS / NAC appliances become unavailable?
With NAC / RADIUS not available I would either need to fail open, or do something else that would still grant access to the network.
Appreciate anything already authenticated onto the network would stay connected. I believe there is a timer that can be configured to set the re-authentication time or turn off completely.
An option could possibly move to local switch authentication using MAC addresses if all those are previous stored / configured on the switch?
Possibly use something like the following:
configure netlogin authentication failure vlan Default ports 1-22
configure netlogin authentication service-unavailable vlan Default ports 1-22
Although some ports like phones might have multiple VLAN's, so not sure how that would work.
Possibly something else I haven't thought of or found?
Many thanks in advance
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-12-2021 07:05 PM
Hi Tomasz,
Yes, your comment is accurate. But I also noticed in thread that the protocol auth order needed to change to MAC first, then dot1x? That part didn’t make too much sense to me.
Thanks,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-12-2021 02:37 PM
Hi Chad,
If I understood the thread well, isn’t these two bundled together what you may need?
- conf netlogin port X authentication mode optional
- default policy role applied to a port (to keep our port config handled within the Policy framework)
Hope that helps,
Tomasz
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-07-2021 08:39 PM
Interesting discussion. Thank you all for this.
in ERS, there is a fail open config:
https://extremeportal.force.com/ExtrArticleDetail?an=000086929
I was trying to find the same on EXOS and stumbled on this thread.
on exos 30.4, I guess the commands were removed:
configure netlogin authentication failure ….
configure netlogin authentication service-unavailable ….
I can’t find them. So I guess this thread is the only method to get something similar to ERS Failopen.
My only question here is that the protocol-order was changed to MAC first… Wouldn’t that mean that MAC auth would be preferred over DOT1X? Wouldn’t we need to keep order as DOT1X then MAC so that if user has 802.1X, then it uses DOT1X first; If not, MAC auth would kick in and use default policy?
Thanks for any clarification on what I missed.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-08-2018 10:11 AM
Hey Martin,
I think you still have the port in authentication mode "required"
Authentication Mode : Required (Policy Enabled only)
What happens if you use Brad's command:
configure netlogin port authentication mode optional
Thanks
-Ryan
I think you still have the port in authentication mode "required"
Authentication Mode : Required (Policy Enabled only)
What happens if you use Brad's command:
configure netlogin port authentication mode optional
Thanks
-Ryan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-08-2018 10:11 AM
Ah, there lies my misconception.... thinking that optional mode related to 802.1x as well!
Set that the auth to optional, and now working as expected.
Really appreciate you help Ryan.
Thanks again
Martin
Set that the auth to optional, and now working as expected.
Really appreciate you help Ryan.
Thanks again
Martin
