This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- Fail open port / user authentication
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Fail open port / user authentication
Fail open port / user authentication
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-28-2018 01:03 PM
Apologies in advance if this is an easy one...
Basically the question is in EXOS, what would be the configuration to fail authentication open albeit MAC, PEAP, EAP-TLS etc if both RADIUS / NAC appliances become unavailable?
With NAC / RADIUS not available I would either need to fail open, or do something else that would still grant access to the network.
Appreciate anything already authenticated onto the network would stay connected. I believe there is a timer that can be configured to set the re-authentication time or turn off completely.
An option could possibly move to local switch authentication using MAC addresses if all those are previous stored / configured on the switch?
Possibly use something like the following:
configure netlogin authentication failure vlan Default ports 1-22
configure netlogin authentication service-unavailable vlan Default ports 1-22
Although some ports like phones might have multiple VLAN's, so not sure how that would work.
Possibly something else I haven't thought of or found?
Many thanks in advance
Basically the question is in EXOS, what would be the configuration to fail authentication open albeit MAC, PEAP, EAP-TLS etc if both RADIUS / NAC appliances become unavailable?
With NAC / RADIUS not available I would either need to fail open, or do something else that would still grant access to the network.
Appreciate anything already authenticated onto the network would stay connected. I believe there is a timer that can be configured to set the re-authentication time or turn off completely.
An option could possibly move to local switch authentication using MAC addresses if all those are previous stored / configured on the switch?
Possibly use something like the following:
configure netlogin authentication failure vlan Default ports 1-22
configure netlogin authentication service-unavailable vlan Default ports 1-22
Although some ports like phones might have multiple VLAN's, so not sure how that would work.
Possibly something else I haven't thought of or found?
Many thanks in advance
14 REPLIES 14
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-08-2018 08:56 AM
Hi Ryan,
Just working on this now. So have set the authentication order to MAC, 802.1x and Web. Additionally configured a default role that contains the port to a specific VLAN - Guest VLAN in this case. Only currently testing this on one port, 1:4.
Have disabled the NAC and testing if the end-system can still connect.
Looking at the logs the device first tries MAC auth then 802.1x but fails both, and then cant connect to the network.
Here is the log:
10/08/2018 10:30:35.07 Slot-1: Authentication failed for Network Login 802.1x user host/CAN3079.domain.org.uk Mac B8:6B:23:82:06:85 port 1:4
10/08/2018 10:30:35.06 Slot-1: Authentication failed for Network Login MAC user B86B23820685 Mac B8:6B:23:82:06:85 port 1:4
The configuration for Netlogin and Policy is shown below:
enable netlogin dot1x mac
configure netlogin authentication protocol-order mac dot1x web-based
enable netlogin ports 1:4 dot1x
enable netlogin ports 1:1-48,2:1-48,3:1-48 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted "#$blVDSCrXyf9R/WdJIgkGS7+UVGf8Fg=="
configure policy profile 5 name "Guest Access" pvid-status "enable" pvid 4095 cos-status "enable" cos
configure policy rule admin-profile port 1:4 mask 16 port-string 1:4 admin-pid 5
This is the output from show netlogin:
Floor_18-EDGE-STK-02.1 # show netlogin port 1:4
Port : 1:4
Authentication : 802.1x, mac-based
Port State : Enabled
Authentication Mode : Required (Policy Enabled only)
Max Supported Users : 1024 (Policy Enabled only)
Allowed Users : 128 (Policy Enabled only)
Current Users : 0 (Policy Enabled only)
------------------------------------------------
802.1x Port Configuration
------------------------------------------------
Quiet Period : 60
Supplicant Response Timeout : 30
Re-authentication : On
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 30
------------------------------------------------
MAC Mode Port Configuration
------------------------------------------------
Re-authentication period : 3600
Re-authentication : Off
Authentication Delay : 0 seconds (Default)
------------------------------------------------
Netlogin Clients
------------------------------------------------
MAC IP address Authenticated Type ReAuth-Timer User
b8:6b:23:82:06:85 0.0.0.0 No 802.1x 0
-----------------------------------------------
(B) - Client entry Blackholed in FDB
So in this case, even though there is a default policy the client will not connect. What is odd is the type says 802.1x. So I decided to disable the supplicant on the client, clear the netlogin season for port 1:4 and reconnect.
When the device connects the logs now just show is trying MAC auth, no entry for 802.1x:
10/08/2018 10:48:39.15 Slot-1: Authentication failed for Network Login MAC user B86B23820685 Mac B8:6B:23:82:06:85 port 1:4
10/08/2018 10:48:39.15 Slot-1: Attempted the configured number of retries (3) to each of the 1 authentication servers without a server response for B8-6B-23-82-06-85(username 'B86B23820685') on port 1:4.
When you look as the session information it still says the type is 802.1x, either way I can't get the port to fallback to the default role:
------------------------------------------------
Netlogin Clients
------------------------------------------------
MAC IP address Authenticated Type ReAuth-Timer User
b8:6b:23:82:06:85 0.0.0.0 No 802.1x 0
-----------------------------------------------
Just wondering if you can see anything wrong, maybe share the configuration in the example you have provided.
Many thanks in advance
Just working on this now. So have set the authentication order to MAC, 802.1x and Web. Additionally configured a default role that contains the port to a specific VLAN - Guest VLAN in this case. Only currently testing this on one port, 1:4.
Have disabled the NAC and testing if the end-system can still connect.
Looking at the logs the device first tries MAC auth then 802.1x but fails both, and then cant connect to the network.
Here is the log:
10/08/2018 10:30:35.07 Slot-1: Authentication failed for Network Login 802.1x user host/CAN3079.domain.org.uk Mac B8:6B:23:82:06:85 port 1:4
10/08/2018 10:30:35.06 Slot-1: Authentication failed for Network Login MAC user B86B23820685 Mac B8:6B:23:82:06:85 port 1:4
The configuration for Netlogin and Policy is shown below:
enable netlogin dot1x mac
configure netlogin authentication protocol-order mac dot1x web-based
enable netlogin ports 1:4 dot1x
enable netlogin ports 1:1-48,2:1-48,3:1-48 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted "#$blVDSCrXyf9R/WdJIgkGS7+UVGf8Fg=="
configure policy profile 5 name "Guest Access" pvid-status "enable" pvid 4095 cos-status "enable" cos
configure policy rule admin-profile port 1:4 mask 16 port-string 1:4 admin-pid 5
This is the output from show netlogin:
Floor_18-EDGE-STK-02.1 # show netlogin port 1:4
Port : 1:4
Authentication : 802.1x, mac-based
Port State : Enabled
Authentication Mode : Required (Policy Enabled only)
Max Supported Users : 1024 (Policy Enabled only)
Allowed Users : 128 (Policy Enabled only)
Current Users : 0 (Policy Enabled only)
------------------------------------------------
802.1x Port Configuration
------------------------------------------------
Quiet Period : 60
Supplicant Response Timeout : 30
Re-authentication : On
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 30
------------------------------------------------
MAC Mode Port Configuration
------------------------------------------------
Re-authentication period : 3600
Re-authentication : Off
Authentication Delay : 0 seconds (Default)
------------------------------------------------
Netlogin Clients
------------------------------------------------
MAC IP address Authenticated Type ReAuth-Timer User
b8:6b:23:82:06:85 0.0.0.0 No 802.1x 0
-----------------------------------------------
(B) - Client entry Blackholed in FDB
So in this case, even though there is a default policy the client will not connect. What is odd is the type says 802.1x. So I decided to disable the supplicant on the client, clear the netlogin season for port 1:4 and reconnect.
When the device connects the logs now just show is trying MAC auth, no entry for 802.1x:
10/08/2018 10:48:39.15 Slot-1: Authentication failed for Network Login MAC user B86B23820685 Mac B8:6B:23:82:06:85 port 1:4
10/08/2018 10:48:39.15
When you look as the session information it still says the type is 802.1x, either way I can't get the port to fallback to the default role:
------------------------------------------------
Netlogin Clients
------------------------------------------------
MAC IP address Authenticated Type ReAuth-Timer User
b8:6b:23:82:06:85 0.0.0.0 No 802.1x 0
-----------------------------------------------
Just wondering if you can see anything wrong, maybe share the configuration in the example you have provided.
Many thanks in advance
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-01-2018 08:54 AM
Hi Ryan,
Thanks for taking the time to respond, very helpful.
So I'll go away and play with this. Basically I'll need to enable MAC auth as well as 802.1x on all my ports, and define a default policy based on what I wont to do if AAA functionality fails.
Once done, I'll post back my netlogin configuration for reference.
Cheers.
Thanks for taking the time to respond, very helpful.
So I'll go away and play with this. Basically I'll need to enable MAC auth as well as 802.1x on all my ports, and define a default policy based on what I wont to do if AAA functionality fails.
Once done, I'll post back my netlogin configuration for reference.
Cheers.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-30-2018 02:35 PM
Hey Martin,
You are correct if the environment that you're running in is 802.1x only. 802.1x relies on a supplicant on the end system in order to complete authentication. If the supplicant doesn't exist the end system could connect to the switch port and gain access without performing any type of authentication.
However, MAC authentication doesn't require any supplicant or configuration from the end system itself. As long as the end system sources a packet, MAC authentication WILL perform MAC authentication on that end system as long as the AAA infrastructure is operating normally. With X and MAC enabled there will be some level of authentication for every device unless AAA is not functional.
We have customers that have MAC authentication provide a "Quarantine" role that restricts network access until 802.1x is completed. In this environment the client will connect, initially obtain a "Quarantine" role, and once 802.1x completes it can elevate the policy to one that provides the desired level of access.
In this situation if a guest plugs in to the same port without a supplicant they will sit in "Quarantine" as MAC authentication will still complete.
If AAA functionality is compromised the device will default to the static configuration on the port. You can set a default policy on the port as well that will be used if authentication fails.
Thanks
-Ryan
You are correct if the environment that you're running in is 802.1x only. 802.1x relies on a supplicant on the end system in order to complete authentication. If the supplicant doesn't exist the end system could connect to the switch port and gain access without performing any type of authentication.
However, MAC authentication doesn't require any supplicant or configuration from the end system itself. As long as the end system sources a packet, MAC authentication WILL perform MAC authentication on that end system as long as the AAA infrastructure is operating normally. With X and MAC enabled there will be some level of authentication for every device unless AAA is not functional.
We have customers that have MAC authentication provide a "Quarantine" role that restricts network access until 802.1x is completed. In this environment the client will connect, initially obtain a "Quarantine" role, and once 802.1x completes it can elevate the policy to one that provides the desired level of access.
In this situation if a guest plugs in to the same port without a supplicant they will sit in "Quarantine" as MAC authentication will still complete.
If AAA functionality is compromised the device will default to the static configuration on the port. You can set a default policy on the port as well that will be used if authentication fails.
Thanks
-Ryan
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-28-2018 01:55 PM
Hi Brad, thanks for posting back.
The reason I haven't used that command is because I believed it would allow devices onto the network in normal operation even if they didn't authenticate. The only time I've really used it is when using NAC in monitoring mode i.e. MAC auth optional.
So I'm thinking yes it would do the trick, but at the same time bypass the port authentication security in the process under normal operation - would that be right?
The following GTAC article says the following:
https://gtacknowledge.extremenetworks.com/articles/Q_A/If-port-has-been-configured-for-authOptional-...
Martin
The reason I haven't used that command is because I believed it would allow devices onto the network in normal operation even if they didn't authenticate. The only time I've really used it is when using NAC in monitoring mode i.e. MAC auth optional.
So I'm thinking yes it would do the trick, but at the same time bypass the port authentication security in the process under normal operation - would that be right?
The following GTAC article says the following:
https://gtacknowledge.extremenetworks.com/articles/Q_A/If-port-has-been-configured-for-authOptional-...
- With authentication optional mode, the traffic from the client will be allowed even when it is not authenticated. i.e. authentication is not mandatory. If the client failed to authenticate due to some reason (either server unreachable or wrong password or some other reason), then switch will still add the MAC in fdb table and stop initiating the re-auth request to the radius server. The next authentication will be triggered only when fdb ages out or “clear fdb” is executed. If the client gets successfully authenticated with this mode, then it will continue to send the re-auth request after every policy session time-out. But since this customer scenario deals about failed client, session time-out does not apply. After aging time expires the failed entries will be deleted from netlogin however the FDB do not get cleared.
Martin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-28-2018 01:13 PM
Hi Martin,
I'm not sure if this is the question that you're asking--but what if you set the authentication to optional? That way if NAC/RADIUS are unavailable, users can still access the network. Is that an option?
configure netlogin port authentication mode optional
Thanks
Brad
I'm not sure if this is the question that you're asking--but what if you set the authentication to optional? That way if NAC/RADIUS are unavailable, users can still access the network. Is that an option?
configure netlogin port authentication mode optional
Thanks
Brad
