This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Technical Discussions
- Network Architecture & Design
- Authentication Mode Optional - Older Code
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Authentication Mode Optional - Older Code
Authentication Mode Optional - Older Code
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-23-2018 09:36 AM
Hi,
In the process of configuring MAC based Netlogin on some older switches, the configuration will look something like the following:
create vlan nt_login
configure netlogin vlan nt_login
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
configure netlogin mac authentication database-order radius
configure netlogin ports 20-22 mode port-based-vlans
configure netlogin authentication failure vlan Default ports 20-22
configure netlogin authentication service-unavailable vlan Default ports 20-22
enable netlogin ports 20-22 mac
enable netlogin mac
What I would like to do is use the same function as the optional command:
configure netlogin port 20-22 authentication mode optional
Basically so that I'm not enforcing the authentication, just essentially putting it into monitoring mode, as the 'optional' command isnt available on the version being used.
From what I understand the device will be put into the 'nt_login' VLAN whilst its being authenticated, but ideally I wouldn't want the device to be removed / disconnected from the network at any point or for any condition, just want to put the data into NAC.
The other problem being I can't say replace the VLAN 'nt_login' in the 'configure netlogin vlan' command with the default VLAN the port is already configured for.
Hopefully that makes sense, and appreciate any ideas.
Many thanks in advance.
In the process of configuring MAC based Netlogin on some older switches, the configuration will look something like the following:
create vlan nt_login
configure netlogin vlan nt_login
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
configure netlogin mac authentication database-order radius
configure netlogin ports 20-22 mode port-based-vlans
configure netlogin authentication failure vlan Default ports 20-22
configure netlogin authentication service-unavailable vlan Default ports 20-22
enable netlogin ports 20-22 mac
enable netlogin mac
What I would like to do is use the same function as the optional command:
configure netlogin port 20-22 authentication mode optional
Basically so that I'm not enforcing the authentication, just essentially putting it into monitoring mode, as the 'optional' command isnt available on the version being used.
From what I understand the device will be put into the 'nt_login' VLAN whilst its being authenticated, but ideally I wouldn't want the device to be removed / disconnected from the network at any point or for any condition, just want to put the data into NAC.
The other problem being I can't say replace the VLAN 'nt_login' in the 'configure netlogin vlan' command with the default VLAN the port is already configured for.
Hopefully that makes sense, and appreciate any ideas.
Many thanks in advance.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-24-2018 04:38 AM
Yes, ISP would block the mac until it becomes authenticated. The move fail action might work but I doubt we allow it to be the same as the already assigned one. You need to test to see if that works.
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-23-2018 07:32 PM
Thanks for getting back, and so quick again.
Reading through the EXOS user guide it defines ISP Mode as the following:
In ISP mode, the port and VLAN remain constant. Before the supplicant is authenticated, the port is in an unauthenticated state. After authentication, the port forwards packets.
That reads to me that although the VLAN remains constant it still seems reliant on authentication in order to pass traffic, otherwise the port would remain locked. With 'authentication mode optional' if RADIUS becomes unavailable the port will still forward... not sure what happens if you get a RADIUS reject back though, assume it will block?
Reading further I was wondering if the following command would achieve the same goal as optional:
configure netlogin move-fail-action authenticate
The discription for this is as follows:
If network login fails to perform Campus mode login, you can configure the switch to authenticate the client in the original VLAN or deny authentication even if the user name and password are correct.
The last bit of that sentence i'm not sure about though 'if the user name and password are correct', correct to what I wonder?
So my configuration would look like the following:
create vlan nt_login
configure netlogin vlan nt_login
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 password NOPASSWORD
configure netlogin mac authentication database-order radius
configure netlogin ports 20-22 mode mac-based-vlans
configure netlogin move-fail-action authenticate
enable netlogin ports 20-22 mac
enable netlogin mac
There looks like other commands I could use like:
configure netlogin authentication failure vlan Default ports 20-22
configure netlogin authentication service-unavailable vlan Default ports 20-22
So perhaps it just needs these?
Anyway, any other feedback would be great. Thanks
Reading through the EXOS user guide it defines ISP Mode as the following:
In ISP mode, the port and VLAN remain constant. Before the supplicant is authenticated, the port is in an unauthenticated state. After authentication, the port forwards packets.
That reads to me that although the VLAN remains constant it still seems reliant on authentication in order to pass traffic, otherwise the port would remain locked. With 'authentication mode optional' if RADIUS becomes unavailable the port will still forward... not sure what happens if you get a RADIUS reject back though, assume it will block?
Reading further I was wondering if the following command would achieve the same goal as optional:
configure netlogin move-fail-action authenticate
The discription for this is as follows:
If network login fails to perform Campus mode login, you can configure the switch to authenticate the client in the original VLAN or deny authentication even if the user name and password are correct.
The last bit of that sentence i'm not sure about though 'if the user name and password are correct', correct to what I wonder?
So my configuration would look like the following:
create vlan nt_login
configure netlogin vlan nt_login
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 password NOPASSWORD
configure netlogin mac authentication database-order radius
configure netlogin ports 20-22 mode mac-based-vlans
configure netlogin move-fail-action authenticate
enable netlogin ports 20-22 mac
enable netlogin mac
There looks like other commands I could use like:
configure netlogin authentication failure vlan Default ports 20-22
configure netlogin authentication service-unavailable vlan Default ports 20-22
So perhaps it just needs these?
Anyway, any other feedback would be great. Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-23-2018 11:31 AM
From memory you just add a port to the vlan you want and then enable netlogin on that port/
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-23-2018 11:31 AM
Indeed you need to create that netlogin vlan, but that could be just a bogus vlan.
Assign the right vlan to the ports, then on netlogin authentication if the radius server only sends accept without vlan VSA it would work as ISP mode.
Assign the right vlan to the ports, then on netlogin authentication if the radius server only sends accept without vlan VSA it would work as ISP mode.
