This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

VPEX with netlogin mac

VPEX with netlogin mac

Go to solution
Benjamin_Kümmel
New Contributor II

‎09-23-2020 06:48 PM

Hello,

some days ago we have built up our first vpex enviroment with netlogin mac enabled ports and redundant controller bridges. Allthought the netlogin request is positively answered by the nac-server the port goes in unautheticated state.

000b30985fd242e5be67150aa5c93034_35907d2f-70c1-4b59-90f9-795960c614c9.jpg

In the gtac kwonledge base I found the following article https://extremeportal.force.com/ExtrArticleDetail?an=000086551 which give hints on a enabled policy. What we have to do to solve our problem?

Benjamin

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Benjamin_Kümmel
New Contributor II

‎10-19-2020 07:10 PM

Hello,

here some words about my solution. As I’ve read now I need policies to solve my netlogin-problem in a vpex enviroment.

The first step was to enable policies on the switches and add some snmp write credentials so that the emc can push the policies to the switches.

Now I created on the emc a new empty policy domain and created one new policy role to give full access by permitting traffic. After saving these simple settings I distributed the policy to the switches by adding the newly created policy domain to the switches. Before that it was neccesary to add the new write credentials to the access profile.

After that I modified the given nac-configuration and modified the rules that emc now gives back the allow all policy to switches instead the enterprise user policy after a successful request.

Benjamin

View solution in original post

0 Kudos
7 REPLIES 7

Go to solution
Miguel-Angel_RO
Valued Contributor II

‎09-24-2020 10:09 PM

Benjamin,

Have a look here: https://extremeportal.force.com/ExtrArticleDetail?an=000077264

Your radius seems to be answering with a policy name starting with “enterprise...” but the screenshot is cutting the end of the name. This name is the TestPolicy in the example.

Mig

0 Kudos

Go to solution
Benjamin_Kümmel
New Contributor II

‎09-24-2020 06:47 PM

Hello Stefan,

thank you for your demand. Here are the informations:

* (orchestration cb-schloss-02) Slot-1 VPEX cb-schloss-01.7 # sh netl por 106:9
Port                          : 106:9
Port Restart                  : Disabled
Allow Egress                  : Broadcast, Unicast
Vlan                          : vlan-mag-reykjavik
Authentication                : mac-based
Port State                    : Enabled
Authentication Mode           : Required (Policy Enabled only)
Max Supported Users           : 24576 (Policy Enabled only)
Allowed Users                 : 128 (Policy Enabled only)
Current Users                 : 0 (Policy Enabled only)
Auth Failure Vlan             : Disabled
Auth Service-Unavailable Vlan : Disabled
------------------------------------------------
        MAC Mode Port Configuration
------------------------------------------------
Re-authentication period      : 3600
Re-authentication             : Off
Authentication Delay          : 0 seconds (Default)
------------------------------------------------
        Netlogin Clients
------------------------------------------------

MAC                IP address       Authenticated     Type    ReAuth-Timer   User
-----------------------------------------------
(B) - Client entry Blackholed in FDB


Number of Clients Authenticated  : 0
* (orchestration cb-schloss-02) Slot-1 VPEX cb-schloss-01.8 # sh conf netlogin
#
# Module netLogin configuration.
#
configure netlogin vlan dummy
enable netlogin mac
configure netlogin mac authentication database-order radius
enable netlogin ports 106:9 mac
configure netlogin ports 106:9 mode mac-based-vlans
configure netlogin ports 106:9 no-restart
configure netlogin ports 106:9 allow egress-traffic all_cast
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
* (orchestration cb-schloss-02) Slot-1 VPEX cb-schloss-01.9 # sh conf polic
#
# Module policy configuration.
#
* (orchestration cb-schloss-02) Slot-1 VPEX cb-schloss-01.10 #

I’ve seen the need to use policies. I hope that this feature is easy to implement.

Greetings

Benjamin

0 Kudos

Go to solution
Stefan_K_
Valued Contributor

‎09-24-2020 10:00 AM

Can you provide us the output of the following commands

show netlogin session ports 106:9
show configuration netlogin
show configuration policy

Do you see the client in the NAC End-Systems table?

0 Kudos
GTM-P2G8KFN