Reset Search
 

 

Article

How to configure netlogin dot1x with policy manager in exos

« Go Back

Information

 
TitleHow to configure netlogin dot1x with policy manager in exos
Objective
Configuring dot1x netlogin with Policy Manager.
Environment
  • Exos 16.1
  • Policy
  • Netsight - Policy Manager
Procedure
Two important pre-requisites to be followed:
  1. Port must be associated with VR
  2. Port must be associated with a vlan Untagged

Once the above pre-requisites are completed you can continue with the below steps to configure Netlogin with Policy.
  1. Set up the domain with Inter-Switch Links to be configured for frozen.
Note: Freezing a port enables you to "lock" it so that no one can accidentally reconfigure sensitive attributes such as port authentication or default role settings. For example, if a port is frozen and the administrator later assigns a default role to the entire device, the frozen port will not receive the new default role.
 
User-added image
  1. Create the VLANs you would like to use for netlogin.  In this example we use Pre-Login, and nt-login
User-added image   User-added image        User-added image
 
  1. Create a Role called Pre-Login , which is associated to a unused VLAN.  Set the access control to (Contain to VLAN), then set the unused VLAN to contained to VLAN. This Role will only have action in triggering the authentication for the vlan configured for port.  Also configure Vlan egress to "none" as we don’t want any egress traffic on the ports.

User-added image           User-added image
A. ​Create Role                                                     B.
Set the access control to (Contain to VLAN), then set the unused VLAN to contained to VLAN.
 
User-added image
            C. Configure Vlan egress to "none"
 
  1. Create a role called nt-login like above, which is associated with the VLAN you want the authenticated users in.  In this example we will use VLAN 666.  Set the role access control to (Contain to VLAN), then set VLAN 666 to (contained to VLAN), finally add vlan 666 to VLAN egress as untagged.  After successful authentication the user will be placed in VLAN 666 (nt-login).
 
User-added image
A. Set the role access control to (Contain to VLAN), then set VLAN 666 to (contained to VLAN)
User-added image
B.  Add vlan 666 to VLAN egress as untagged.
User-added image
C.  Add vlan 666 to VLAN egress as untagged
  1. Confirm that the roles are applied to the ports on the switch:
User-added image
 
  1. Once the roles are in place with vlans associated with ports . configure the Radius or add a NAC Appliance if one used,  finally enable the authentication from Network Elements/Port Groups , Authentication tab and Apply.
User-added image
 
  1. Once all set , Enforce the policy to the device with Enforce option. In this example policy is configured for ports 7-12.
 User-added image
 
  1. Confirm the policy configuration on switch from the enforce, we can see the config applied as follows:
# Module policy configuration.
#
enable policy
configure netlogin port 7 authentication mode optional
configure netlogin port 8 authentication mode optional
configure netlogin port 9 authentication mode optional
configure netlogin port 10 authentication mode optional
configure netlogin port 11 authentication mode optional
configure netlogin port 12 authentication mode optional
configure policy profile 1 name "nt-login" pvid-status "enable" pvid 666 untagged-vlans 666
configure policy profile 2 name "ISL" pvid-status "enable" pvid 4095
configure policy profile 3 name "Pre-Login" pvid-status "enable" pvid 4001
configure policy rule admin-profile port 7 mask 16 port-string 7 admin-pid 3
configure policy rule admin-profile port 8 mask 16 port-string 8 admin-pid 3
configure policy rule admin-profile port 9 mask 16 port-string 9 admin-pid 3
configure policy rule admin-profile port 10 mask 16 port-string 10 admin-pid 3
configure policy rule admin-profile port 11 mask 16 port-string 11 admin-pid 3
configure policy rule admin-profile port 12 mask 16 port-string 12 admin-pid 3
configure policy maptable response both
configure policy vlanauthorization enable
# Module netLogin configuration.
#
enable netlogin dot1x mac
configure netlogin authentication protocol-order dot1x mac web-based
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted "h|vsfjb"
enable netlogin ports 7-26 dot1x
enable netlogin ports 7-26 mac




 



 ​​
 
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255