configure netlogin authentication service-unavailable vlan

configure netlogin authentication service-unavailable vlan vlan_name {ports port_list}

Description

Configures authentication service unavailable VLAN (Virtual LAN) on network login enabled ports.

Syntax Description

vlan_name Specifies the name of the service-unavailable VLAN.
port_list Specifies one or more ports or slots and ports. If the ports keyword is not used, the command applies to all ports.

Default

Defaults to all network login enabled ports.

Usage Guidelines

This command configures authentication service unavailable VLAN on the specified network login enabled ports. Authentication service unavailable VLAN is configured on all the network login enabled ports, if no port is specifically mentioned. When an authentication service is not available to authenticate the network login clients, they are moved to the authentication service-unavailable VLAN and are given limited access until the authentication service is available either through RADIUS (Remote Authentication Dial In User Service) or local. As of ExtremeXOS 16.1, the functionality of this command is more consistent with management authentications. If RADIUS responds with a reject, then that reject is honored. The only time the local database is checked is when the RADIUS server does not respond.

Note

Note

The local database can be configured for MAC and Web authentication method only, not for dot1x.

There are four different authentication orders which can be configured per authentication method currently. They are:
  • RADIUS.

  • Local.

  • RADIUS, local.

  • Local, RADIUS.

In each case, you must consider the end result in deciding whether to authenticate the client in authentication failure VLAN or authentication service unavailable VLAN (if configured).

For example, when netlogin mac authentication database order is local, radius, if the authentication of a MAC client fails through a local database, RADIUS is used for authentication. If RADIUS also fails authentication, the client is moved to authentication failure VLAN. The same is true for all authentication database orders (radius,local; local,radius; radius; local).

If authentication through local fails but passes through RADIUS, the client is moved to appropriate destination VLAN.

If the local authentication fails and the RADIUS server is not available, the client is not moved to authentication failure VLAN.

Authentication service is considered to be unavailable for RADIUS in the following cases:
  • RADIUS server is not running.

  • RADIUS server is not configured on the switch.

  • RADIUS server is configured but not enabled on the switch.

    Note

    Note

    If web is enabled on a port where dot1x or MAC are also enabled, the authentication failure/service-unavailable VLAN configuration is not applicable to those clients where dot1x or MAC clients which fail authentication or where authentication service is not available.

For local authentication, the following cases are considered an authentication failure:
  • If the user is not created in the local database.
  • If the user is configured, but the password does not match.

History

This command was first available in ExtremeXOS 12.1.

Platform Availability

This command is available on the Summit X450-G2, X460-G2, X670-G2, X770, and ExtremeSwitching X440-G2, X590, X620, X690, X870 series switches.