Network Login over MLAG

Starting with ExtremeXOS 22.4, NetLogin MAC-based authentication and 802.1X authentication are supported in policy mode (NetLogin web-based authentication is not supported) over MLAG ports. If an MLAG peer goes down, supplicants remain authenticated on the other MLAG peers and continue to send data traffic thereby providing redundancy.

After successful authentication, NetLogin passes the necessary information to the policy module (such as the port, MAC address, policy profile, and authentication result) for further processing, such as movement of the port to VLAN and insertion of MAC address in the FDB.
Note

Note

ISC port must be added to the destination VLAN for all dynamic VLANs on the switch.

Limitations

MLAG Support for Change of Authentication (CoA)

Starting with ExtremeXOS 30.4, MLAG support for Netlogin is extended for dynamic authorization and disconnect (CoA). CoA support (introduced in ExtremeXOS 22.1), which was implemented directly in the policy module, now moves to NetLogin.

The CoA messages that were previously handled directly by the policy module are now handled by the NetLogin module. With ExtremeXOS 30.4, the AAA module, on receiving the CoA messages from the RADIUS server, passes the data to NetLogin. Netlogin checks for the availability of the client, and the mode of authentication. If it finds a valid client, the CoA message is passed to policy for further processing. Additionally, NetLogin takes care of updating the MLAG peer about the dynamic authorization changes or disconnect. The NetLogin module on the MLAG peer passes the message to the policy module of that switch.

Limitations