Extreme Networks

Mario_Salhab · ‎02-02-2018

Hello,

I'm testing 802.1x authentication on extreme XOS. I'm running XOS 16.2.4.5 patch1-5 on x440-8t switch. I've completed the setup based on the documentation provided by extreme. The problem is that I'm receiving Authentication failed for Network Login 802.1x user host/xxxxxx Mac xxxxxxx port x, although if I run a wireshark on my radius server, I see authentication successful for host/xxxxxx. I'm wondering why the switch is considering it as failed. My radius server is a Microsoft 2008R2 NPS server.

Thanks
Mario

stephanos_kaish · ‎02-07-2018

Thank you, ive done that already but still getting the error:

auth move result: Destination VLAN not supplied
authVlans preprocessing result; Destination VLAN not supplied

Vlan on switch is named: BR-STA-078

settings Radius Server see screenshot:

3eadc5b865264b8b8b8fcd0084601f63_RackMultipart20180425-2136-1sl8ss0-pol_inline.jpg

Mario_Salhab · ‎02-07-2018

Hi Stephanos,

You should follow the Additional notes of the following documentation.
For example, if you want to add the successful authentication to vlan Default as untagged, you should add the following attribute value Udefault.
I don't know why they put it in additional notes while it should be a required configuration.

stephanos_kaish · ‎02-07-2018

Thanks but when you say the switch was expecting the destination vlan from the radius, what configuration did you change as i have the same exact issue:

Mario_Salhab · ‎02-07-2018

Hi Stefan

X440-8t.1 # show config | include netlogin
configure radius netlogin primary server 172.21.192.162 1812 client-ip 172.21.192.222 vr VR-Default
configure radius netlogin primary shared-secret encrypted "#$cdHMN3kX1OgZyNlPvyzn0ZhwmNu23g=="
enable radius netlogin
configure radius netlogin timeout 120
configure netlogin vlan nt_login
enable netlogin dot1x
enable netlogin ports 1 dot1x
configure netlogin ports 1 mode port-based-vlans
configure netlogin ports 1 no-restart
X440-8t.2 # sh vlan
-----------------------------------------------------------------------------------------------
Name VID Protocol Addr Flags Proto Ports Virtual
Active router
/Total
-----------------------------------------------------------------------------------------------
Default 1 172.21.192.222 /20 ------------T---------------- ANY 2 /11 VR-Default
Mgmt 4095 ------------------------------------------------- ANY 0 /1 VR-Mgmt
nt_login 4094 ----------------------LN------------------------- ANY 0 /1 VR-Default
-----------------------------------------------------------------------------------------------
Flags : (B) BFD Enabled, (c) 802.1ad customer VLAN, (C) EAPS Control VLAN,
(d) Dynamically created VLAN, (D) VLAN Admin Disabled,
(e) CES Configured, (E) ESRP Enabled, (f) IP Forwarding Enabled,
(F) Learning Disabled, (h) TRILL Enabled, (i) ISIS Enabled,
(I) Inter-Switch Connection VLAN for MLAG, (k) PTP Configured,
(l) MPLS Enabled, (L) Loopback Enabled, (m) IPmc Forwarding Enabled,
(M) Translation Member VLAN or Subscriber VLAN, (n) IP Multinetting Enabled,
(N) Network Login VLAN, (o) OSPF Enabled, (O) Flooding Disabled,
(p) PIM Enabled, (P) EAPS protected VLAN, (r) RIP Enabled,
(R) Sub-VLAN IP Range Configured, (s) Sub-VLAN, (S) Super-VLAN,
(t) Translation VLAN or Network VLAN, (T) Member of STP Domain,
(v) VRRP Enabled, (V) VPLS Enabled, (W) VPWS Enabled, (Z) OpenFlow Enabled

Total number of VLAN(s) : 3

Jaroslav_Stefan · ‎02-06-2018

Interesting...Everything looks good. Could you please share output of this command:
show config | include netlogin (it is slightly different than sh config | include radius)
and
show vlan

Extreme Networks

802.1x failing but radius authentication succeeded

802.1x failing but radius authentication succeeded