configure netlogin authentication service-unavailable vlan

configure netlogin authentication service-unavailable [{add} | {delete} | {{vlan vlan_name} {ports port_list {tagged | untagged}}}]

Description

Configures authentication service-unavailable This command is available on the ExtremeSwitching X440-G2, X450-G2, X460-G2, X465, X590, X620, X670-G2, X690, X695, X870, 5320, 5420, 5520 series switches. on NetLogin-enabled ports.

Syntax Description

vlan_name Specifies the name of the service-unavailable VLAN.
port_list Specifies one or more ports or slots and ports. If the ports keyword is not used, the command applies to all ports.
add Add service-unavailable VLAN to ports (default).
tagged Configure port as tagged to the service-unavailable VLAN.
untagged Configure port as untagged to the service-unavailable VLAN (default).
delete Delete existing service-unavailable VLAN from ports.

Default

If a port is not specified, all NetLogin-enabled ports are applied.

If not specified, the command adds service-unavailable VLAN to ports by default.

If not specified, the ports are configured as untagged to the service-unavailable VLAN by default.

Usage Guidelines

This command configures authentication service-unavailable VLAN(s) on the specified NetLogin-enabled ports. Authentication service-unavailable VLAN is configured on all the NetLogin-enabled ports, if no port is specifically selected. When an authentication service is not available to authenticate the NetLogin clients, they are moved to the authentication service-unavailable VLAN(s) and are given limited access until the authentication service is available through RADIUS.

Starting with ExtremeXOS 30.2, you can specify up to 10 service-unavailable VLANs per port.

As of ExtremeXOS 16.1, the functionality of this command is more consistent with management authentications. If RADIUS responds with a reject, then that reject is honored.

There are four different authentication orders that can be configured per authentication method currently. They are:
  • RADIUS
  • Local
  • RADIUS, local
  • Local, RADIUS

The service unavailable VLAN is used only when authentication order is "RADIUS". The authentication failure VLAN is used for all other modes (local; RADIUS, local; local, RADIUS).

For example, when the Netlogin MAC authentication database order is local, RADIUS, if the authentication of a MAC client fails through a local database, RADIUS is used for authentication. If RADIUS also fails authentication, the client is moved to the authentication failure VLAN.

Authentication service is considered to be unavailable for RADIUS in the following cases:
  • RADIUS server is not running.
  • RADIUS server is not configured on the switch.
  • RADIUS server is configured but not enabled on the switch.
    Note

    Note

    If web is enabled on a port where Dot1x or MAC is also enabled, the authentication failure/service-unavailable VLAN configuration is not applicable to those clients where Dot1x or MAC clients that fail authentication or where authentication service is not available.

Example

The following example adds the service-unavailable VLAN "v1" on tagged ports 1 and 2:

# configure netlogin authentication service-unavailable add vlan v1 ports 1,2 tagged

History

This command was first available in ExtremeXOS 12.1.

The ability to configure multiple service-unavailable VLANs was added in ExtremeXOS 30.2.

Platform Availability

This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, X670-G2, X690, X695, X870, 5320, 5420, and 5520 series switches.