ExtremeSwitching (EXOS)

 View Only
  • 1.  Using vlanauthorization RFC3580 on x460G2 and policy.

    Posted 12-12-2016 19:05
    I have several x460G2 switches that refuse to put ports in the correct vlan using RFC3580. I have NAC sending back VLAN ID and Extreme Policy. vlanauthorization is enabled globally, and on the ports. I am running version 22 of code. I use this to automatically put cameras, wireless APs, printers etc.. in to the correct VLAN. Everything works fine on the S4, B5, C5, A4 series switches. It's just the x460s that DONT work.

    Any ideas?


  • 2.  RE: Using vlanauthorization RFC3580 on x460G2 and policy.

    Posted 12-12-2016 19:07
    Also... I can see that it is sending the vlan (tunnel attribute) 1001. Vlan 1001 is AdminComputer VLAN.

    Port : 7:48 Station address : c4:34:6b:5e:78:7d Auth status : success Last attempt : Mon Dec 12 14:56:50 2016
    Agent type : dot1x Session applied : true
    Server type : radius VLAN-Tunnel-Attr : 1001
    Policy index : 9 Policy name : Admin_Computers (active)
    Session timeout : 0 Session duration : 0:10:04
    Idle timeout : 300 Idle time : 0:00:45
    Termination time: Not Terminated


  • 3.  RE: Using vlanauthorization RFC3580 on x460G2 and policy.

    Posted 12-12-2016 19:11
    This is a working B5 using rfc3580 vlanauth



    Here is the same command run (just on the one port I am testing on the 460 G2)





  • 4.  RE: Using vlanauthorization RFC3580 on x460G2 and policy.

    Posted 12-12-2016 19:15
    Well, this fixed it:
    configure netlogin ports 7:48 authentication mode required
    However, I believe with this setting, if AUTH fails, all packets are discarded. I would prefer this NOT to happen. I believe you can't use a default role when you set authentication up this way.


  • 5.  RE: Using vlanauthorization RFC3580 on x460G2 and policy.

    Posted 12-12-2016 19:25
    Spoke too soon.. It doesn't work. This has got to be a bug in the code as the Enterasys stuff just works.


  • 6.  RE: Using vlanauthorization RFC3580 on x460G2 and policy.

    Posted 12-13-2016 05:08
    configure policy maptable response both

    Thought I had it set... nope. Will test in the AM.


  • 7.  RE: Using vlanauthorization RFC3580 on x460G2 and policy.

    Posted 12-13-2016 14:08
    Hi Jeremy,

    you need to explicitly enable your authentication method both globally and on the ports. If you are using MAC auth, you need to configure netlogin add mac-list default. If auth-optional works or not might depend on the firmware version, see https://gtacknowledge.extremenetworks.com/articles/Solution/Port-not-properly-passing-traffic-after-....

    Erik


  • 8.  RE: Using vlanauthorization RFC3580 on x460G2 and policy.

    Posted 12-13-2016 14:08
    Yeah, I did. I forgot the conf policy maptable response both. I am use to enabling it on enterasys via set policy maptable response both, however, forgot about it on XOS. It just doesn't show up under show policy vlanauthorization. It shows vlan ID as none.


  • 9.  RE: Using vlanauthorization RFC3580 on x460G2 and policy.

    Posted 12-13-2016 14:56
    Got it working.... But the command show policy vlanauth port 7:48 doesn't show that it's doing anything. Although, I can see 1001 untagged on the port.