This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- netlogin - "Default" VLAN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
netlogin - "Default" VLAN
netlogin - "Default" VLAN
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:51 PM
Create Date: Feb 29 2012 6:02AM
Hi, I come from CISCO world. For our customer I need to configure 802.1x netlogin on their "Default" VLAN. They use this default VLAN for several years. It´s a BD8810 switch with XOS 12.5.1.6.
When I want to use commands from Concept guide and use a example for enable netlogin, the switch write back: ERROR: No ports should be assigned to the NetLogin VLAN.
For command: enable netlogin dot1x, it write back: ERROR: No NetLogin VLAN is configured. Configuration failed on backup MSM, command execution aborted!
Is it possible to use 802.1x authentication on "default VLAN"
thanks for any reply
(from Ondrej_Cerveny)
Hi, I come from CISCO world. For our customer I need to configure 802.1x netlogin on their "Default" VLAN. They use this default VLAN for several years. It´s a BD8810 switch with XOS 12.5.1.6.
When I want to use commands from Concept guide and use a example for enable netlogin, the switch write back: ERROR: No ports should be assigned to the NetLogin VLAN.
For command: enable netlogin dot1x, it write back: ERROR: No NetLogin VLAN is configured. Configuration failed on backup MSM, command execution aborted!
Is it possible to use 802.1x authentication on "default VLAN"
thanks for any reply
(from Ondrej_Cerveny)
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:51 PM
Create Date: Mar 12 2012 6:13AM
Hi Andrew,
the statement that the "authentication vlan cannot work on Layer 3" ist right(-->
* Testswitch.8 # en ipforwarding "NO_AUTH_LA"
Error: VLAN NO_AUTH_LA is enabled for NetLogIn!). In my lab i´m using a Summit X450e-24p with EXOS version 12.6.1.3. This Switch works at layer 2. The routing is done by a BD8806 with EXOS version 12.4.5.3 patch 1-5. In the lab i use a RADIUS server for wired authentication, too. On the netlogin port i have a two devices, one ip-phone and behind this a notebook. My netlogin scenario (mac based) is working. I can reach all network resources.
--> * Testswitch.15 # sh netlogin por 16
Port : 16
Port Restart : Disabled
Allow Egress : Broadcast, Unicast
Vlan : Muc_PC
Authentication : mac-based
Port State : Enabled
Guest Vlan : Disabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Disabled
MAC IP address Authenticated Type ReAuth-Timer User
00:08:5d:29:cf:18 0.0.0.0 Yes, Radius MAC 0 00085D29CF18
-----------------------------------------------
(B) - Client entry Blackholed in FDB
Port : 16
Port Restart : Disabled
Allow Egress : Broadcast, Unicast
Vlan : Muc_Tel
Authentication : mac-based
Port State : Enabled
Guest Vlan : Disabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Disabled
MAC IP address Authenticated Type ReAuth-Timer User
00:08:5d:29:cf:18 0.0.0.0 Yes, Radius MAC 0 00085D29CF18
-----------------------------------------------
(B) - Client entry Blackholed in FDB
* Testswitch.9 # sh netlogin
NetLogin Authentication Mode : web-based DISABLED; 802.1x ENABLED; mac-based ENABLED
NetLogin VLAN : "NO_AUTH_LA"
NetLogin move-fail-action : Deny
NetLogin Client Aging Time : 5 minutes
Dynamic VLAN Creation : Disabled
Dynamic VLAN Uplink Ports : None
Regards
Matthias
(from matthias_mager)
Hi Andrew,
the statement that the "authentication vlan cannot work on Layer 3" ist right(-->
* Testswitch.8 # en ipforwarding "NO_AUTH_LA"
Error: VLAN NO_AUTH_LA is enabled for NetLogIn!). In my lab i´m using a Summit X450e-24p with EXOS version 12.6.1.3. This Switch works at layer 2. The routing is done by a BD8806 with EXOS version 12.4.5.3 patch 1-5. In the lab i use a RADIUS server for wired authentication, too. On the netlogin port i have a two devices, one ip-phone and behind this a notebook. My netlogin scenario (mac based) is working. I can reach all network resources.
--> * Testswitch.15 # sh netlogin por 16
Port : 16
Port Restart : Disabled
Allow Egress : Broadcast, Unicast
Vlan : Muc_PC
Authentication : mac-based
Port State : Enabled
Guest Vlan : Disabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Disabled
MAC IP address Authenticated Type ReAuth-Timer User
00:08:5d:29:cf:18 0.0.0.0 Yes, Radius MAC 0 00085D29CF18
-----------------------------------------------
(B) - Client entry Blackholed in FDB
Port : 16
Port Restart : Disabled
Allow Egress : Broadcast, Unicast
Vlan : Muc_Tel
Authentication : mac-based
Port State : Enabled
Guest Vlan : Disabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Disabled
MAC IP address Authenticated Type ReAuth-Timer User
00:08:5d:29:cf:18 0.0.0.0 Yes, Radius MAC 0 00085D29CF18
-----------------------------------------------
(B) - Client entry Blackholed in FDB
* Testswitch.9 # sh netlogin
NetLogin Authentication Mode : web-based DISABLED; 802.1x ENABLED; mac-based ENABLED
NetLogin VLAN : "NO_AUTH_LA"
NetLogin move-fail-action : Deny
NetLogin Client Aging Time : 5 minutes
Dynamic VLAN Creation : Disabled
Dynamic VLAN Uplink Ports : None
Regards
Matthias
(from matthias_mager)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:51 PM
Create Date: Mar 11 2012 11:30PM
Hi Scott, I use Concept guide 12.1. I would like to use ISP mode. The ports will be in the VLAN for autentication and nothing else. I prepared RADIUS server for wired authentication.
When I set netlogin on my VLAN (configure netlogin vlan “LAN_AUTHâ€, enable netlogin dot1x, enable netlogin ports 10:15 dot1x) (I can set it), then I would like to connect notebook to this port, lease DHCP addres and forward traffic on this BD8810 to another VLAN (production network). So I would like to route traffic od this switch, but when I set netlogin, the ipforwarding proces stop and I cannot route the traffic to another VLAN. If I use a command for enabel ipforwarding (enable ipforwarding VLAN LAN_AUTH) the cli return back this: Configuration failed on backup MSM, command execution aborted!.
Is it normal? Or is it some bug or feature of this switch. From CISCO world It look like some mistake. On CISCO switch I could route and make port based authentication in same time.
It could be some unclarity of my idea process.
I have switch: BlackDiamond 8810 with SW: ExtremeXOS version 12.5.1.6
Thank for reply,
Andrew
(from Ondrej_Cerveny)
Hi Scott, I use Concept guide 12.1. I would like to use ISP mode. The ports will be in the VLAN for autentication and nothing else. I prepared RADIUS server for wired authentication.
When I set netlogin on my VLAN (configure netlogin vlan “LAN_AUTHâ€, enable netlogin dot1x, enable netlogin ports 10:15 dot1x) (I can set it), then I would like to connect notebook to this port, lease DHCP addres and forward traffic on this BD8810 to another VLAN (production network). So I would like to route traffic od this switch, but when I set netlogin, the ipforwarding proces stop and I cannot route the traffic to another VLAN. If I use a command for enabel ipforwarding (enable ipforwarding VLAN LAN_AUTH) the cli return back this: Configuration failed on backup MSM, command execution aborted!.
Is it normal? Or is it some bug or feature of this switch. From CISCO world It look like some mistake. On CISCO switch I could route and make port based authentication in same time.
It could be some unclarity of my idea process.
I have switch: BlackDiamond 8810 with SW: ExtremeXOS version 12.5.1.6
Thank for reply,
Andrew
(from Ondrej_Cerveny)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:51 PM
Create Date: Mar 9 2012 8:01AM
Andrew,
The netlogin VLAN is used as a landing spot for devices while they are going through the netlogin process. You are correct that it cannot be used for routing, but no device will spend much time in it if you have configured netlogin completely. The device, and therefore the user, will be moved to a routable VLAN after authentication. There are two modes of Netlogin operation, ISP and Campus. Each mode handles the user VLAN differently.
In ISP mode, you add the destination VLAN to the ports before enabling Netlogin. When authentication is successful, the switch will open up the port for that MAC to access the VLAN.
In Campus mode, you can tell the switch which VLAN to move the device to upon completion of the login process. You can use a local authentication database in the switch or a RADIUS server or a combination of the two. The VLAN must exist on the switch, btw. If you are using a local database on the switch, you use the key "vlan-vsa" at the end of the "netlogin local-user" command to specify the VLAN name. You can also specify whether the VLAN should be .1q tagged or not. The default is untagged. If you are using a RADIUS server, you need to add the Extreme Networks VSA definitions and values. FreeRADIUS stores the definitions in the "dictionary" file and the attributes in the "users" file. Tagging is also supported through this method. Here's an example of setting up a local user on the switch.
create netlogin local-user "Jim" 12345 vlan-vsa "data"
Here's an example of the entry in the users file for user "Jim".
Jim Auth-Type := EAP, User-Password == "12345"
Session-Timeout = 60,
Termination-Action = 1,
Extreme-Netlogin-Vlan = voice-vlan
All of the VSA's can be found in the Concepts Guide. I found them on page 875 of the 12.6 guide.
Regards, Scott (from Scott_Singer)
Andrew,
The netlogin VLAN is used as a landing spot for devices while they are going through the netlogin process. You are correct that it cannot be used for routing, but no device will spend much time in it if you have configured netlogin completely. The device, and therefore the user, will be moved to a routable VLAN after authentication. There are two modes of Netlogin operation, ISP and Campus. Each mode handles the user VLAN differently.
In ISP mode, you add the destination VLAN to the ports before enabling Netlogin. When authentication is successful, the switch will open up the port for that MAC to access the VLAN.
In Campus mode, you can tell the switch which VLAN to move the device to upon completion of the login process. You can use a local authentication database in the switch or a RADIUS server or a combination of the two. The VLAN must exist on the switch, btw. If you are using a local database on the switch, you use the key "vlan-vsa" at the end of the "netlogin local-user" command to specify the VLAN name. You can also specify whether the VLAN should be .1q tagged or not. The default is untagged. If you are using a RADIUS server, you need to add the Extreme Networks VSA definitions and values. FreeRADIUS stores the definitions in the "dictionary" file and the attributes in the "users" file. Tagging is also supported through this method. Here's an example of setting up a local user on the switch.
create netlogin local-user "Jim" 12345 vlan-vsa "data"
Here's an example of the entry in the users file for user "Jim".
Jim Auth-Type := EAP, User-Password == "12345"
Session-Timeout = 60,
Termination-Action = 1,
Extreme-Netlogin-Vlan = voice-vlan
All of the VSA's can be found in the Concepts Guide. I found them on page 875 of the 12.6 guide.
Regards, Scott (from Scott_Singer)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:51 PM
Create Date: Mar 9 2012 5:55AM
Hi, thanks for reply.
I tried this, but in this case I need to route traffic between VLANs and for traffic is needed ipforwarding, but with ipforwarding I couldn´t use network login. Netowrk login is available only on VLAN without ipforwarding.
Any idea?
Thanks Andrew
(from Ondrej_Cerveny)
Hi, thanks for reply.
I tried this, but in this case I need to route traffic between VLANs and for traffic is needed ipforwarding, but with ipforwarding I couldn´t use network login. Netowrk login is available only on VLAN without ipforwarding.
Any idea?
Thanks Andrew
(from Ondrej_Cerveny)
