This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Strange Netlogin behaviour

Strange Netlogin behaviour

Luca_Messori
New Contributor II

‎09-30-2014 12:21 PM

I have configured bot dot1x and mac auth on the same port with dynamic vlan.
dot1x for PC and notebook
mac for telephone and printers

What I have seen is that just after the ports became active the switch starts mac auth instead of wait for eapol start from the client:
09/30/2014 15:43:21.94 Slot-1: Network Login 802.1x user host/DA17190.ita.rsa-ins.com logged in MAC A4:5D:36:D1:54:1C port 3:15 VLAN(s) "PP_4P", authentication Radius
09/30/2014 15:43:21.68 Slot-1: Network Login MAC user A45D36D1541C logged in MAC A4:5D:36:D1:54:1C port 3:15 VLAN(s) "Ospite", authentication Radius
09/30/2014 15:43:21.42 Slot-1: Port 3:15 link UP at speed 100 Mbps and full-duplex

After some second, when it receive the eapol start it restart a new authentication process for the same mac address.

The results is that client is first moved in guest vlan (where it gets an ip address from dhcp server) and then in client vlan.

This is my netlogin conf:
configure netlogin vlan TEMP
enable netlogin dot1x mac
configure netlogin agingtime 120
configure netlogin dynamic-vlan enable
configure netlogin dynamic-vlan uplink-ports 1:49
configure netlogin mac authentication database-order local radius
enable netlogin ports 1:1-48, 2:1-7, 2:9-17, 2:19-48, 3:1-12, 3:14-48, 4:1-48, 5:1-44, 5:46-50 dot1x
enable netlogin ports 1:1-48, 2:1-7, 2:9-17, 2:19-48, 3:1-12, 3:14-48, 4:1-48, 5:1-44, 5:46-50 mac
configure netlogin ports 1:1 mode port-based-vlans
configure netlogin ports 1:1 no-restart
.....
configure netlogin add mac-list 00:00:aa:fa:29:85 48 encrypted "=421BFAB3<44"
...
configure netlogin add mac-list 00:90:1e:90:00:e1 48 encrypted "=4;12B>315I0"
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
configure netlogin dot1x timers server-timeout 10
configure netlogin dot1x timers reauth-period 0
configure netlogin dot1x timers supp-resp-timeout 10
enable netlogin authentication service-unavailable vlan ports 1:1-48, 2:1-48, 3:1-48, 4:1-48, 5:1-50
configure netlogin authentication service-unavailable vlan Ospite ports 1:1-2, 1:4-8, 1:10-14, 1:16-48, 2:1-7, 2:10-17, 2:19-48, 3:1-12, 3:14-48, 4:1-28, 4:30-31, 4:33-48, 5:1-50

In my opinion this is un uncorret behaviour because mac auth should happens only when the client has'nt or has not configured a 802.1x supplicant.
0 Kudos
2 REPLIES 2

Luca_Messori
New Contributor II

‎09-30-2014 05:12 PM

I have done test with firmware 15.1.3 and 15.3.4.6-patch5 but I have the same results.
I have seen SR number 4-4576621665.

I think that there are two problems:
- the switch is not honoring the 30 second timeout period before mac auth
- the client sends the dhcp request immediately (before it is moved to its vlan)

I would like to resolve the first one problem.
In SR number 4-4576621665 there is this annotation:
"Resolved via 01033072"
What is 01033072?

Regards
0 Kudos

PARTHIBAN_CHINN
Contributor

‎09-30-2014 03:08 PM

This looks to me a known issue What is the exos version . Did you check with a different exos
0 Kudos
GTM-P2G8KFN