Exclusions And Limitations; Configuring Network Login - Extreme Networks ExtremeWare 7.2e Installation And User Manual

Security
• Once the first MAC is authenticated, the port is transitioned to the authenticated state and other
unauthenticated MACs can listen to all data destined for the first MAC. This could raise some
security concerns as unauthenticated MACs can listen to all broadcast and multicast traffic directed
to a Network Login-authenticated port.

Exclusions and Limitations

The following are limitations and exclusions for Network Login:
• All unauthenticated MACs will be seeing broadcasts and multicasts sent to the port if even a single
MAC is authenticated on that port.
• Network Login must be disabled on a port before that port can be deleted from a VLAN.
• In Campus mode, once the port moves to the destination VLAN, the original VLAN for that port is
not displayed.
• A Network Login VLAN port should be an untagged Ethernet port and should not be a part of
following protocols:
— ESRP
— STP
— VLAN Aggregation
— VLAN Translation
• Network Login is not supported for T1, E1, T3, ATM, PoS and MPLS TLS interfaces.
• No Hitless Failover support has been added for Network Login.
• Network Login and MAC-limits cannot be used together on the same switch (see "Network Login"
on page 150).
• EAP-NAK cannot be used to negotiate 802.1x authentication types.

Configuring Network Login

The following configuration example demonstrates how users can initially log in using web-based
authentication, allowing them limited access to the network in order to download the 802.1x client and
a certificate. After the client is configured, the user is then able to access the network by using 802.1x.
The example illustrates the following configuration steps:
1 Create a VLAN on all edge switches called "temp," which is the initial VLAN to which users will
connect before they are authenticated.
2 Create a VLAN on all edge and core switches called "guest," which is the VLAN from which users
will access the Certificate Authority and be able to download the 802.1x software.
The following example demonstrates the first network login configuration step for a Summit 48si edge
switch:
create vlan temp
configure temp ipaddress 192.168.1.1/24
configure temp add port 1-48
configure vlan temp dhcp-address-range 192.168.1.11 - 192.168.1.200
configure vlan temp dhcp-options default-gateway 192.168.1.1
enable netlogin port 1-48 vlan temp
156 ExtremeWare 7.2e Installation and User Guide