This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- Netlogin: MAC authentication against Clearpass Rad...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Netlogin: MAC authentication against Clearpass Radius Server: Password missmatch
Netlogin: MAC authentication against Clearpass Radius Server: Password missmatch
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-15-2019 08:57 AM
maybe someone can shine some light on this: we are trying to use MAC authentication on x440-g2 switches against an aruba clearpass server with radius. we encountered the following problems:
6 months ago when it still worked we used version 22.6 or something. are there changes that went into the radius / netlogin stack?
This is the configuration we are currently using:
* sw309.6 # show config aaa
#
# Module aaa configuration.
#
configure radius netlogin primary server 10.231.131.209 1812 client-ip 172.28.32.52 vr VR-Default
configure radius netlogin primary shared-secret encrypted "********"
configure radius-accounting mgmt-access primary server 10.231.131.209 1813 client-ip 172.28.32.52 vr VR-Default
configure radius-accounting mgmt-access primary shared-secret encrypted "********"
configure radius-accounting netlogin primary server 10.231.131.209 1813 client-ip 172.28.32.52 vr VR-Default
configure radius-accounting netlogin primary shared-secret encrypted "********"
configure radius dynamic-authorization 1 server 10.231.131.209 client-ip 172.28.32.52 vr VR-Default shared-secret encrypted "********"
enable radius
enable radius mgmt-access
enable radius netlogin
enable radius-accounting mgmt-access
enable radius-accounting netlogin
enable radius dynamic-authorization
configure account admin encrypted "********"
create account admin adm encrypted "********"
create netlogin local-user "admin" encrypted "********" vlan-vsa switchnet
* sw309.7 # show config netlogin
#
# Module netLogin configuration.
#
enable netlogin dot1x mac
configure netlogin mac authentication database-order radius
enable netlogin ports 1-16 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted "*********"
* sw309.8 #
- we need to use the command "enable policy" to even use dot1x and MAC auth properly. as far as i know, this enables a newer radius stack. unfortunatly much of the documentation still uses the old stack. commands like "conf netlogin vlan nt_login" don't exist with the new stack. is there newer documentation about this? what exactly are the differences about these modes "enable/disable policy"
- 6 months ago while testing the mac authentication worked, in the last tests, i get the following error from clearpass:MAC-AUTH: Password in request doesn't match username. Not attempting MAC authentication
6 months ago when it still worked we used version 22.6 or something. are there changes that went into the radius / netlogin stack?
This is the configuration we are currently using:
* sw309.6 # show config aaa
#
# Module aaa configuration.
#
configure radius netlogin primary server 10.231.131.209 1812 client-ip 172.28.32.52 vr VR-Default
configure radius netlogin primary shared-secret encrypted "********"
configure radius-accounting mgmt-access primary server 10.231.131.209 1813 client-ip 172.28.32.52 vr VR-Default
configure radius-accounting mgmt-access primary shared-secret encrypted "********"
configure radius-accounting netlogin primary server 10.231.131.209 1813 client-ip 172.28.32.52 vr VR-Default
configure radius-accounting netlogin primary shared-secret encrypted "********"
configure radius dynamic-authorization 1 server 10.231.131.209 client-ip 172.28.32.52 vr VR-Default shared-secret encrypted "********"
enable radius
enable radius mgmt-access
enable radius netlogin
enable radius-accounting mgmt-access
enable radius-accounting netlogin
enable radius dynamic-authorization
configure account admin encrypted "********"
create account admin adm encrypted "********"
create netlogin local-user "admin" encrypted "********" vlan-vsa switchnet
* sw309.7 # show config netlogin
#
# Module netLogin configuration.
#
enable netlogin dot1x mac
configure netlogin mac authentication database-order radius
enable netlogin ports 1-16 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted "*********"
* sw309.8 #
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-15-2019 02:27 PM
we don't plan to use XMC, but without enable policy we couldn't mix mac and dot1x auth or couldn't authenticate more then one device per port, i'm not sure anymore.
anyway, your solution worked.
im a bit surprised, since last time, i used the same command:
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
and the exos system appended the 'encrypted "***********"' part on its own. after removing the mac-list and reentering the same command, the encrypted part didn't get configured again and its working as intended.
thank you very much.
any informations if its possible to assign an ISID/NSI via netlogin? i guess if i can only supply a vlan-id without nsi, the vlans need to get configured with isid on the edge-switch prior to using netlogin?
anyway, your solution worked.
im a bit surprised, since last time, i used the same command:
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
and the exos system appended the 'encrypted "***********"' part on its own. after removing the mac-list and reentering the same command, the encrypted part didn't get configured again and its working as intended.
thank you very much.
any informations if its possible to assign an ISID/NSI via netlogin? i guess if i can only supply a vlan-id without nsi, the vlans need to get configured with isid on the edge-switch prior to using netlogin?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-15-2019 01:51 PM
If you plan to use XMC Extreme Control using policy config and send a radius "Filter-ID" then enable policy on the switch. If you plan for just authentication and vlan assignment then don't enable policy.
https://www.extremenetworks.com/product/extremecontrol/
The problem is with your MAC-list. If you configure a password it will take the MAC of the supplicant and use it for the username, and take your given password for the password for all MAC auth so they will never match. If you use the configuration below it will take the MAC of the supplicant and use it for the username and password.
Note: you will need to delete your old MAC-List
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
https://www.extremenetworks.com/product/extremecontrol/
The problem is with your MAC-list. If you configure a password it will take the MAC of the supplicant and use it for the username, and take your given password for the password for all MAC auth so they will never match. If you use the configuration below it will take the MAC of the supplicant and use it for the username and password.
Note: you will need to delete your old MAC-List
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
