Configuring network login – Extreme Networks 200 Series User Manual

76

Summit 200 Series Switch Installation and User Guide

Managing the Switch

•

A network login VLAN port should be an untagged Ethernet port and should not be a part of
following protocols:

—

ESRP

—

STP

•

Rate-limiting is not supported on network login ports (both web-based and 802.1x).

•

AP-NAK cannot be used to negotiate 802.1x authentication types.

•

Network login is only supported on the local ports of a stack master switch. In stack configurations,
the master cannot pass authentication down to slave switches.

Configuring Network Login

In the following configuration example shows both the Extreme Networks switch configuration, and the
RADIUS server entries needed to support the example. VLAN corp is assumed to be a corporate subnet
which has connections to DNS, WINS servers etc. and network routers. VLAN temp is a temporary
VLAN and is created to provide connections to unauthenticated network login clients. This kind of
configuration provides better security as unauthenticated clients do not connect to the corporate subnet
and will not be able to send or receive any data. They have to get authenticated in order to have access
to the network.

ISP Mode:

Network login clients connected to ports 10 - 14, VLAN corp, will be logged into the

network in ISP mode. This is controlled by the fact that the VLAN in which they reside in
unauthenticated mode and the RADIUS server Vendor Specific Attributes (VSA),

Extreme-Netlogin-Vlan

, are the same, corp. So there will be no port movement. Also if this VSA is

missing from RADIUS server, it is assumed to be ISP Mode.

Campus Mode:

On the other hand, clients connected to ports 2 - 5, VLAN temp, are logged into the

network in Campus mode, because the port moves to the VLAN corp after getting authenticated. A port
moves back and forth from one VLAN to the other as its authentication state changes.

Both ISP and Campus mode are not tied to ports but to a user profile. In other words, if the VSA

Extreme:Extreme-Netlogin-Vlan

represents a VLAN different from the one in which user currently

resides, then VLAN movement occurs after login and after logout. In following example, it is assumed
that campus users are connected to ports 2 - 5, while ISP users are logged in through ports 10 - 14.

NOTE

In the following sample configuration, any lines marked

(Default)

represent default settings and do not

need to be explicitly configured.

create vlan "temp"

create vlan "corp"

# Configuration information for VLAN temp.

configure vlan "temp" ipaddress 198.162.32.10 255.255.255.0

configure vlan "temp" add port 2 untagged

configure vlan "temp" add port 3 untagged

configure vlan "temp" add port 4 untagged

configure vlan "temp" add port 5 untagged

# Configuration information for VLAN corp.

configure vlan "corp" ipaddress 10.203.0.224 255.255.255.0