09-23-2020 06:48 PM
Hello,
some days ago we have built up our first vpex enviroment with netlogin mac enabled ports and redundant controller bridges. Allthought the netlogin request is positively answered by the nac-server the port goes in unautheticated state.
In the gtac kwonledge base I found the following article https://extremeportal.force.com/ExtrArticleDetail?an=000086551 which give hints on a enabled policy. What we have to do to solve our problem?
Benjamin
Solved! Go to Solution.
10-19-2020 07:10 PM
Hello,
here some words about my solution. As I’ve read now I need policies to solve my netlogin-problem in a vpex enviroment.
The first step was to enable policies on the switches and add some snmp write credentials so that the emc can push the policies to the switches.
Now I created on the emc a new empty policy domain and created one new policy role to give full access by permitting traffic. After saving these simple settings I distributed the policy to the switches by adding the newly created policy domain to the switches. Before that it was neccesary to add the new write credentials to the access profile.
After that I modified the given nac-configuration and modified the rules that emc now gives back the allow all policy to switches instead the enterprise user policy after a successful request.
Benjamin
09-24-2020 10:09 PM
Benjamin,
Have a look here: https://extremeportal.force.com/ExtrArticleDetail?an=000077264
Your radius seems to be answering with a policy name starting with “enterprise...” but the screenshot is cutting the end of the name. This name is the TestPolicy in the example.
Mig
09-24-2020 06:47 PM
Hello Stefan,
thank you for your demand. Here are the informations:
* (orchestration cb-schloss-02) Slot-1 VPEX cb-schloss-01.7 # sh netl por 106:9
Port : 106:9
Port Restart : Disabled
Allow Egress : Broadcast, Unicast
Vlan : vlan-mag-reykjavik
Authentication : mac-based
Port State : Enabled
Authentication Mode : Required (Policy Enabled only)
Max Supported Users : 24576 (Policy Enabled only)
Allowed Users : 128 (Policy Enabled only)
Current Users : 0 (Policy Enabled only)
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Disabled
------------------------------------------------
MAC Mode Port Configuration
------------------------------------------------
Re-authentication period : 3600
Re-authentication : Off
Authentication Delay : 0 seconds (Default)
------------------------------------------------
Netlogin Clients
------------------------------------------------
MAC IP address Authenticated Type ReAuth-Timer User
-----------------------------------------------
(B) - Client entry Blackholed in FDB
Number of Clients Authenticated : 0
* (orchestration cb-schloss-02) Slot-1 VPEX cb-schloss-01.8 # sh conf netlogin
#
# Module netLogin configuration.
#
configure netlogin vlan dummy
enable netlogin mac
configure netlogin mac authentication database-order radius
enable netlogin ports 106:9 mac
configure netlogin ports 106:9 mode mac-based-vlans
configure netlogin ports 106:9 no-restart
configure netlogin ports 106:9 allow egress-traffic all_cast
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
* (orchestration cb-schloss-02) Slot-1 VPEX cb-schloss-01.9 # sh conf polic
#
# Module policy configuration.
#
* (orchestration cb-schloss-02) Slot-1 VPEX cb-schloss-01.10 #
I’ve seen the need to use policies. I hope that this feature is easy to implement.
Greetings
Benjamin
09-24-2020 10:00 AM
Can you provide us the output of the following commands
show netlogin session ports 106:9
show configuration netlogin
show configuration policy
Do you see the client in the NAC End-Systems table?