# ------------------------------------------------
# MAC-Based (Local) Network Login
# Displaying Network Login Settings
#
# show netlogin {port <port_list> vlan <vlan_name>
# {dot1x{detail}} {mac} {web-based}
# --------------------
show netlogin mac
show netlogin mac-list
# --------------------
# ceate netlogin vlan
# --------------------
create vlan netlogin_vlan
configure netlogin vlan netlogin_vlan
enable netlogin mac
configure netlogin mac authentication database-order local radius
# --------------------
# Port Enable / Disable
# --------------------
enable netlogin ports <port_list> mac
enable ports
# disable netlogin ports <port_list> mac
# --------------------
# Add mac address to local database
#
# configure netlogin add mac-list [<mac> {<mask>} | default]
# {encrypted} {<password>} {ports <port_list>}
# --------------------
configure netlogin add mac-list <pc_mac_address>
# --------------------
# delete mac address from local database
#
# configure netlogin delete mac-list [<mac> {<mask>} | default]
# --------------------
configure netlogin delete mac-list xx:xx:xx:xx:xx:xx
configure netlogin mac timers reauth-period 30
configure netlogin ports 19 mac
Network Login using Local MAC Address Configuration
# ------------------------
# View current configuration
# ------------------------
show netlogin
# ------------------------
# Create a Network Login VLAN
# ------------------------
create vlan "netlogin_vlan"
# ------------------------
# Assign a VLAN to Network Login
# ------------------------
configure netlogin vlan "netlogin_vlan"
# ------------------------
# Enable MAC-based Network Login Feature on switch
# ------------------------
enable netlogin mac
# ------------------------
# Enable MAC-based Network Login Feature on port
# ------------------------
enable netlogin ports 19 mac
# ------------------------
# Specify that the local database will be used for authentication
# ------------------------
configure netlogin mac authentication database-order local
# ------------------------
# Add MAC-based users to the local database
# ------------------------
create netlogin local-user 0050B60193ED 0050B60193ED
# ------------------------
# Verify Configuration
# ------------------------
show network mac
VLAB-R1-X450-24t.17 # show netlogin mac
NetLogin Authentication Mode : web-based DISABLED; 802.1x DISABLED; mac-based ENABLED
NetLogin VLAN : "netlogin_vlan"
NetLogin move-fail-action : Deny
NetLogin Client Aging Time : 5 minutes
Dynamic VLAN Creation : Disabled
Dynamic VLAN Uplink Ports : None
------------------------------------------------
MAC Mode Global Configuration
------------------------------------------------
MAC Address/Mask Password (encrypted) Port(s)
-------------------- ------------------------------ ------------------------
00:0F:1F:C5:61:FC/48 <not configured> any
00:50:B6:01:93:ED/48 <not configured> any
Default <not configured> any
Re-authentication period : 30
Authentication Database : Local-User database
------------------------------------------------
Port: 17, Vlan: Default, State: Enabled, Authentication: mac-based, Guest Vlan <Not Configured>: Disabled, Auth Failure Vlan <Not Configured>: Disabled, Auth Service-Unavailable Vlan <Not Configured>: Disabled
MAC IP address Authenticated Type ReAuth-Timer User
00:50:b6:01:93:ed 0.0.0.0 Yes, Locally MAC 9 0050B60193ED
-----------------------------------------------
Port: 19, Vlan: netlogin_vlan, State: Enabled, Authentication: mac-based, Guest Vlan <Not Configured>: Disabled, Auth Failure Vlan <Not Configured>: Disabled, Auth Service-Unavailable Vlan <Not Configured>: Disabled
MAC IP address Authenticated Type ReAuth-Timer User
-----------------------------------------------
VLAB-R1-X450-24t.17 #
# --------------------
# Configuration Information for VLAN corp
# No VLAN-ID is associated with VLAN corp.
# --------------------
configure vlan "corp_vlan" ipaddress 10.2.0.2 255.255.255.0
# --------------------
# Network Login Configuration
# --------------------
configure netlogin vlan "netlogin_vlan"
enable netlogin mac
enable netlogin ports 15 mac
configure netlogin add mac-list 00:0F:1F:C5:61:FC
configure netlogin add mac-list 00:50:b6:01:93:ed
configure netlogin delete mac-list 00:0F:1F:C5:61:FC
configure netlogin delete mac-list 00:50:B6:01:93:ED
configure netlogin timers reauth-period 30
create netlogin local-user 0050B60193ED 0050B60193ED
# --------------------
# RADIUS Configuration
# --------------------
show netlogin
Configuration saved to primary.cfg successfully.
(.18)VLAB-R1-X350-24t.10 # show netlogin
NetLogin Authentication Mode : web-based DISABLED; 802.1x DISABLED; mac-based ENABLED
NetLogin VLAN : "netlogin_vlan"
NetLogin move-fail-action : Deny
NetLogin Client Aging Time : 5 minutes
Dynamic VLAN Creation : Disabled
Dynamic VLAN Uplink Ports : None
------------------------------------------------
Web-based Mode Global Configuration
------------------------------------------------
Base-URL : network-access.com
Default-Redirect-Page : ENABLED; http://www.extremenetworks.com
Logout-privilege : YES
Netlogin Session-Refresh : ENABLED; 3 minute(s) 0 second(s)
Refresh failures allowed : 0
Reauthenticate on refresh: Disabled
Authentication Database : Radius, Local-User database
Proxy Ports : 80(http),443(https)
------------------------------------------------
------------------------------------------------
802.1x Mode Global Configuration
------------------------------------------------
Quiet Period : 60
Supplicant Response Timeout : 30
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 30
EAPOL MPDU version to transmit : v1
Authentication Database : Radius
------------------------------------------------
------------------------------------------------
MAC Mode Global Configuration
------------------------------------------------
MAC Address/Mask Password (encrypted) Port(s)
-------------------- ------------------------------ ------------------------
00:1C:23:0F:0A:45/48 <not configured> any
Re-authentication period : 0 (Re-authentication disabled)
Authentication Database : Local-User database
------------------------------------------------
Port: 24, Vlan: Default, State: Enabled, Authentication: mac-based
Guest Vlan <Not Configured>: Disabled
Authentication Failure Vlan <Not Configured>: Disabled
Authentication Service-Unavailable Vlan <Not Configured>: Disabled
MAC IP address Authenticated Type ReAuth-Timer User
00:1c:23:0f:0a:45 192.168.1.31 Yes, Locally MAC 0 001C230F0A45
-----------------------------------------------
show netlogin mac
(.18)VLAB-R1-X350-24t.11 # show netlogin mac
NetLogin Authentication Mode : web-based DISABLED; 802.1x DISABLED; mac-based ENABLED
NetLogin VLAN : "netlogin_vlan"
NetLogin move-fail-action : Deny
NetLogin Client Aging Time : 5 minutes
Dynamic VLAN Creation : Disabled
Dynamic VLAN Uplink Ports : None
------------------------------------------------
MAC Mode Global Configuration
------------------------------------------------
MAC Address/Mask Password (encrypted) Port(s)
-------------------- ------------------------------ ------------------------
00:1C:23:0F:0A:45/48 <not configured> any
Re-authentication period : 0 (Re-authentication disabled)
Authentication Database : Local-User database
------------------------------------------------
Port: 24, Vlan: Default, State: Enabled, Authentication: mac-based
Guest Vlan <Not Configured>: Disabled
Authentication Failure Vlan <Not Configured>: Disabled
Authentication Service-Unavailable Vlan <Not Configured>: Disabled
MAC IP address Authenticated Type ReAuth-Timer User
00:1c:23:0f:0a:45 192.168.1.31 Yes, Locally MAC 0 001C230F0A45
-----------------------------------------------
show netlogin port 24
(.18)VLAB-R1-X350-24t.12 # show netlogin port 24
Port : 24
Port Restart : Disabled
Allow Egress : None
Vlan : Default
Authentication : mac-based
Port State : Enabled
Guest Vlan : Disabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Disabled
MAC IP address Authenticated Type ReAuth-Timer User
00:1c:23:0f:0a:45 192.168.1.31 Yes, Locally MAC 0 001C230F0A45
-----------------------------------------------
show log messages memory-buffer
(.18)VLAB-R1-X350-24t.13 # show log messages memory-buffer
04/22/2008 20:55:44.62 <Info:AAA.authPass> Login passed for user admin through serial
04/22/2008 20:43:26.99 <Noti:DM.Notice> Setting hwclock time to system time, and broadcasting time
04/22/2008 20:42:19.49 <Info:nl.ClientAuthenticated> Network Login MAC user 001C230F0A45 logged in MAC 00:1C:23:0F:0A:45 port 24 VLAN(s) "Default", authentication Locally
04/22/2008 20:42:14.61 <Info:vlan.msgs.portLinkStateUp> Port 24 link UP at speed 1 Gbps and full-duplex
04/22/2008 20:42:12.35 <Info:HAL.Sys.Info> Internal power supply operational.
04/22/2008 20:42:12.18 <Info:vlan.msgs.portLinkStateUp> Port Mgmt link UP at speed 100 Mbps and full-duplex
04/22/2008 20:42:12.17 <Info:HAL.Card.Info> Switch is operational
04/22/2008 20:42:07.92 <Noti:EPM.system_stable> System is stable. Change to warm reset mode
04/22/2008 20:42:04.57 <Info:EPM.wdg_enable> Watchdog enabled
04/22/2008 20:41:54.87 <Info:DOSProt.Init> DOS protect application started successfully
04/22/2008 20:41:54.84 <Info:telnetd.info> **** telnetd started *****
04/22/2008 20:41:50.52 <Noti:DM.Notice> Node State[3] = OPERATIONAL
04/22/2008 20:41:50.22 <Info:tftpd.info> **** tftpd started *****
04/22/2008 20:41:47.31 <Info:nl.init> Network Login framework has been initialized
04/22/2008 20:41:47.02 <Noti:DM.Notice> Node State[2] = STANDBY
04/22/2008 20:41:47.02 <Info:DM.Info> Node INIT DONE ....
04/22/2008 20:41:46.51 <Noti:DM.Notice> Node State[1] = INIT
04/22/2008 20:41:46.08 <Info:HAL.Sys.Info> Hal initialization done.
04/22/2008 20:41:44.62 <Info:telnetd.info> telnetd listening on port 23
04/22/2008 20:41:43.65 <Info:HAL.Sys.Info> Starting hal initialization ....
04/22/2008 20:41:40.36 <Noti:DM.Notice> DM started
04/22/2008 20:41:40.11 <Noti:NM.Notice> NM started
04/22/2008 20:41:39.35 <Noti:EPM.start> EPM Started
04/22/2008 20:41:37.61 <Noti:EPM.wd_warm_reset> Changing to watchdog warm reset mode
04/22/2008 20:40:35.19 <Warn:EPM.all_shutdown> Shutting down all processes
04/22/2008 20:40:34.86 <Warn:EPM.reboot> Rebooting with reason
04/22/2008 20:36:34.99 <Warn:EPM.Upgrade.State> Upgrade status Start upgrade timer
04/22/2008 20:33:30.99 <Erro:nl.mac.MacListEmpty> Mac authentication was initiated, but mac-list for virtual router VR-Default is empty
04/22/2008 20:04:32.04 <Erro:nl.mac.MacListEmpty> Previous message repeated 3 additional times in the last 1413 second(s)
04/22/2008 19:43:33.71 <Warn:DM.Warning> devmgr does not have a connection to Backup to checkpoint
Lab
Setup CS-A
Setup CS-B
Setup Distribution Switch
Setup Student Switch
# --------------------------
# unconfigure switch
# --------------------------
unconfigure switch all
y
# --------------------------
# answer the questions
# --------------------------
n
n
y
n
n
# --------------------------
# disable all ports
# remove ports from default vlan
# --------------------------
disable ports all
configure vlan default delete port all
# --------------------------
# setup default vlan to support vPC
# --------------------------
configure vlan default add port 24
unconfigure vlan default ipaddress
configure vlan default ipaddress 192.168.<LG#>.1 255.255.255.0
configure snmp sysname SS-0<LG#>
save configuration ss-0<LG#>-netlogin-lab-init
y
n
# --------------------------
# make sure that the vPC can ping the switch
# ping 192.168.<LG#>.1
# --------------------------
# --------------------------
# Part X: Displaying the Network Login Configuration
# --------------------------
# --------------------------
# 1. Make sure that the MAC-based Network Login service is not configured.
# --------------------------
show netlogin mac
(Software Update Required) (.18)VLAB-R1-X350-245.28 # show netlogin mac
n mac-list
NetLogin Authentication Mode : web-based DISABLED; 802.1x DISABLED; mac-based DISABLED
NetLogin VLAN : <Not Configured>
NetLogin move-fail-action : Deny
NetLogin Client Aging Time : 5 minutes
Dynamic VLAN Creation : Disabled
Dynamic VLAN Uplink Ports : None
------------------------------------------------
MAC Mode Global Configuration
------------------------------------------------
Authentication Database : Radius, Local-User database
# --------------------------
# 2. Verify that the local MAC database (a list of MAC addresses that
# is stored on the switch) is empty.
# --------------------------
show netlogin mac-list
(Software Update Required) (.18)VLAB-R1-X350-245.29 # show netlogin mac-list
(Software Update Required) (.18)VLAB-R1-X350-245.30 #
# --------------------------
# Part X: Configuring the Network Login VLAN
# The Network Login VLAN is an internal VLAN that enables the system to
# access the Network Login Service. You will not add any ports to this
# VLAN, however, later in this lab, you will configure ports to use the
# Network Login Service.
# --------------------------
# --------------------------
# 1. Create a VLAN to support the Network Login service.
# --------------------------
create vlan netlogin_vlan
# --------------------------
# 2. Associate the VLAN to the Network Login Service.
# --------------------------
configure netlogin vlan netlogin_vlan
# --------------------------
# Part X: Configuring MAC address authentication
# --------------------------
# --------------------------
# 1. Enable MAC address authentication option of the Network Login Service.
# --------------------------
enable netlogin mac
# --------------------------
# 2. Configure the MAC address authentication process to use the local
# database. The options available are local and radius. The system will
# search either the local database and the RADIUS database in the order in
# which the options are entered. If the local option is entered first, then
# the local database will be interigated before the RADIUS database. You may
# also configure the system to only search local or RADIUS databases by only
# entering one of the two options.
# --------------------------
configure netlogin mac authentication database-order local
# --------------------------
# make sure that the vPC can ping the switch
# ping 192.168.<LG#>.1
# --------------------------
# --------------------------
# 3. Select the ports that will subscribe to the Network Login Service.
# --------------------------
enable netlogin ports 24 mac
# --------------------------
# make sure that the vPC can no longer ping the switch
# ping 192.168.<LG#>.1
# --------------------------
# --------------------------
# Part X: Managing Authorized MAC Addresses
# There are two parts to managing the authorized MAC Addresses.
# The first part is to create an entry in the MAC address database.
# The second part is to create a corresponding entry in the user
# database for the configured MAC address.
# --------------------------
# --------------------------
# 1. Add the MAC addresses to the local database. MAC addresses are
# entered using the colon as a seperator. For example, 00:00:05:00:FB:01.
# --------------------------
configure netlogin add mac-list <pc_mac_address>
# --------------------------
# Add MAC-based users to the local database. When entering the following
# command, you will substitue the user-name and password options with the
# MAC address of the IP phone. When entering the MAC address, enter the MAC
# address used in the last step, omitting the colon (:) character. For
# instance, the MAC address from the example above would be entered as
# 00000500FB01.
#
# To determine the MAC (physical) address of your vPC, enter the command
# 'ipconfig /all' at a command prompt.
# --------------------------
create netlogin local-user <user-name> <password>
# --------------------------
# Part X: Testing the configuration
# --------------------------
# --------------------------
# Part X: Displaying the configuration
# --------------------------
show netlogin
Configuration saved to primary.cfg successfully.
(.18)VLAB-R1-X350-24t.10 # show netlogin
NetLogin Authentication Mode : web-based DISABLED; 802.1x DISABLED; mac-based ENABLED
NetLogin VLAN : "netlogin_vlan"
NetLogin move-fail-action : Deny
NetLogin Client Aging Time : 5 minutes
Dynamic VLAN Creation : Disabled
Dynamic VLAN Uplink Ports : None
------------------------------------------------
Web-based Mode Global Configuration
------------------------------------------------
Base-URL : network-access.com
Default-Redirect-Page : ENABLED; http://www.extremenetworks.com
Logout-privilege : YES
Netlogin Session-Refresh : ENABLED; 3 minute(s) 0 second(s)
Refresh failures allowed : 0
Reauthenticate on refresh: Disabled
Authentication Database : Radius, Local-User database
Proxy Ports : 80(http),443(https)
------------------------------------------------
------------------------------------------------
802.1x Mode Global Configuration
------------------------------------------------
Quiet Period : 60
Supplicant Response Timeout : 30
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 30
EAPOL MPDU version to transmit : v1
Authentication Database : Radius
------------------------------------------------
------------------------------------------------
MAC Mode Global Configuration
------------------------------------------------
MAC Address/Mask Password (encrypted) Port(s)
-------------------- ------------------------------ ------------------------
00:1C:23:0F:0A:45/48 <not configured> any
Re-authentication period : 0 (Re-authentication disabled)
Authentication Database : Local-User database
------------------------------------------------
Port: 24, Vlan: Default, State: Enabled, Authentication: mac-based
Guest Vlan <Not Configured>: Disabled
Authentication Failure Vlan <Not Configured>: Disabled
Authentication Service-Unavailable Vlan <Not Configured>: Disabled
MAC IP address Authenticated Type ReAuth-Timer User
00:1c:23:0f:0a:45 192.168.1.31 Yes, Locally MAC 0 001C230F0A45
-----------------------------------------------
show netlogin mac
(.18)VLAB-R1-X350-24t.11 # show netlogin mac
NetLogin Authentication Mode : web-based DISABLED; 802.1x DISABLED; mac-based ENABLED
NetLogin VLAN : "netlogin_vlan"
NetLogin move-fail-action : Deny
NetLogin Client Aging Time : 5 minutes
Dynamic VLAN Creation : Disabled
Dynamic VLAN Uplink Ports : None
------------------------------------------------
MAC Mode Global Configuration
------------------------------------------------
MAC Address/Mask Password (encrypted) Port(s)
-------------------- ------------------------------ ------------------------
00:1C:23:0F:0A:45/48 <not configured> any
Re-authentication period : 0 (Re-authentication disabled)
Authentication Database : Local-User database
------------------------------------------------
Port: 24, Vlan: Default, State: Enabled, Authentication: mac-based
Guest Vlan <Not Configured>: Disabled
Authentication Failure Vlan <Not Configured>: Disabled
Authentication Service-Unavailable Vlan <Not Configured>: Disabled
MAC IP address Authenticated Type ReAuth-Timer User
00:1c:23:0f:0a:45 192.168.1.31 Yes, Locally MAC 0 001C230F0A45
-----------------------------------------------
show netlogin port 24
(.18)VLAB-R1-X350-24t.12 # show netlogin port 24
Port : 24
Port Restart : Disabled
Allow Egress : None
Vlan : Default
Authentication : mac-based
Port State : Enabled
Guest Vlan : Disabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Disabled
MAC IP address Authenticated Type ReAuth-Timer User
00:1c:23:0f:0a:45 192.168.1.31 Yes, Locally MAC 0 001C230F0A45
-----------------------------------------------
show log messages memory-buffer
(.18)VLAB-R1-X350-24t.13 # show log messages memory-buffer
04/22/2008 20:55:44.62 <Info:AAA.authPass> Login passed for user admin through serial
04/22/2008 20:43:26.99 <Noti:DM.Notice> Setting hwclock time to system time, and broadcasting time
04/22/2008 20:42:19.49 <Info:nl.ClientAuthenticated> Network Login MAC user 001C230F0A45 logged in MAC 00:1C:23:0F:0A:45 port 24 VLAN(s) "Default", authentication Locally
04/22/2008 20:42:14.61 <Info:vlan.msgs.portLinkStateUp> Port 24 link UP at speed 1 Gbps and full-duplex
04/22/2008 20:42:12.35 <Info:HAL.Sys.Info> Internal power supply operational.
04/22/2008 20:42:12.18 <Info:vlan.msgs.portLinkStateUp> Port Mgmt link UP at speed 100 Mbps and full-duplex
04/22/2008 20:42:12.17 <Info:HAL.Card.Info> Switch is operational
04/22/2008 20:42:07.92 <Noti:EPM.system_stable> System is stable. Change to warm reset mode
04/22/2008 20:42:04.57 <Info:EPM.wdg_enable> Watchdog enabled
04/22/2008 20:41:54.87 <Info:DOSProt.Init> DOS protect application started successfully
04/22/2008 20:41:54.84 <Info:telnetd.info> **** telnetd started *****
04/22/2008 20:41:50.52 <Noti:DM.Notice> Node State[3] = OPERATIONAL
04/22/2008 20:41:50.22 <Info:tftpd.info> **** tftpd started *****
04/22/2008 20:41:47.31 <Info:nl.init> Network Login framework has been initialized
04/22/2008 20:41:47.02 <Noti:DM.Notice> Node State[2] = STANDBY
04/22/2008 20:41:47.02 <Info:DM.Info> Node INIT DONE ....
04/22/2008 20:41:46.51 <Noti:DM.Notice> Node State[1] = INIT
04/22/2008 20:41:46.08 <Info:HAL.Sys.Info> Hal initialization done.
04/22/2008 20:41:44.62 <Info:telnetd.info> telnetd listening on port 23
04/22/2008 20:41:43.65 <Info:HAL.Sys.Info> Starting hal initialization ....
04/22/2008 20:41:40.36 <Noti:DM.Notice> DM started
04/22/2008 20:41:40.11 <Noti:NM.Notice> NM started
04/22/2008 20:41:39.35 <Noti:EPM.start> EPM Started
04/22/2008 20:41:37.61 <Noti:EPM.wd_warm_reset> Changing to watchdog warm reset mode
04/22/2008 20:40:35.19 <Warn:EPM.all_shutdown> Shutting down all processes
04/22/2008 20:40:34.86 <Warn:EPM.reboot> Rebooting with reason
04/22/2008 20:36:34.99 <Warn:EPM.Upgrade.State> Upgrade status Start upgrade timer
04/22/2008 20:33:30.99 <Erro:nl.mac.MacListEmpty> Mac authentication was initiated, but mac-list for virtual router VR-Default is empty
04/22/2008 20:04:32.04 <Erro:nl.mac.MacListEmpty> Previous message repeated 3 additional times in the last 1413 second(s)
04/22/2008 19:43:33.71 <Warn:DM.Warning> devmgr does not have a connection to Backup to checkpoint