ExtremeSwitching (EXOS)

 View Only
  • 1.  Multisession on single port problem

    Posted 03-15-2017 11:38
    Hi

    i have problem to assing IP to MAC based authentication (printer) on a x440 single port.
    situation looks like below:

    computer---
    computer--- desktop switch ----- x440 switch single port
    printer-------

    all dot1x sesions (users) are accepted and works fine but MAC session is not.

    Port : 43
    Authentication : 802.1x, mac-based
    Port State : Enabled
    Authentication Mode : Required (Policy Enabled only)
    Max Supported Users : 256 (Policy Enabled only)
    Allowed Users : 128 (Policy Enabled only)
    Current Users : 3 (Policy Enabled only)
    ------------------------------------------------
    802.1x Port Configuration
    ------------------------------------------------
    Quiet Period : 300
    Supplicant Response Timeout : 120
    Re-authentication : On
    Re-authentication period : 0
    Max Re-authentications : 3
    RADIUS server timeout : 120
    ------------------------------------------------
    MAC Mode Port Configuration
    ------------------------------------------------
    Re-authentication period : 7200
    Re-authentication : On
    Authentication Delay : 120 seconds
    ------------------------------------------------
    Netlogin Clients
    ------------------------------------------------

    MAC IP address Authenticated Type ReAuth-Timer User
    00:0f:fe:xx:xx:xx 0.0.0.0 Yes, Radius 802.1x 0 user
    00:23:7d:xx:xx:xx 0.0.0.0 Yes, Radius MAC 4385 00-23-7D-XX-XX-XX
    94??80:xx:xx:xx 0.0.0.0 Yes, Radius 802.1x 0 user
    -----------------------------------------------
    (B) - Client entry Blackholed in FDB

    On NAC manager i see that user (dot1x) sesions are resolving ip addresses using radius server which is visible in request (in table), but mac sessions are not.

    when i switch printer direct to x440 port, all works fine.

    Please help

    Regards Mark



  • 2.  RE: Multisession on single port problem

    Posted 03-15-2017 17:56
    anybody ?


  • 3.  RE: Multisession on single port problem

    Posted 03-15-2017 20:24
    Maybe you could post some more information...
    Software version, show config netlogin, show config policy and show config aaa

    Does it work if you only attach the printer behind the switch?
    It could be a maximum user limit on the port?
    Does the mac shows up in the fdb?
    Did you enable logging?
    What happend if you connect the printer (with logging enabled)?


  • 4.  RE: Multisession on single port problem

    Posted 03-17-2017 05:49
    so 🙂 this is what i've got:

    show switch
    SysName: LOL
    SysLocation: LOL
    SysContact: Marek Konopinski
    System MAC: 00:04:96:XX:XX:XX
    System Type: X440G2-48t-10G4

    Current State: OPERATIONAL
    Image Selected: primary
    Image Booted: primary
    Primary ver: 21.1.1.4
    patch1-3
    Secondary ver: 21.1.1.4

    Config Selected: primary.cfg
    Config Booted: Factory Default

    primary.cfg Created by ExtremeXOS version 21.1.1.4
    1225234 bytes saved on Thu Mar 16 09:39:51 2017

    show version
    Switch : 800617-00-09 1634N-40777 Rev 9.0 BootROM: 1.0.1.8 IMG: 21.1.1.4
    PSU-1 : Internal Power Supply
    PSU-2 :

    Image : ExtremeXOS version 21.1.1.4 21.1.1.4-patch1-3 by release-manager
    on Wed May 4 16:47:32 EDT 2016
    BootROM : 1.0.1.8
    Diagnostics : 5.4

    NETLOGIN conf

    enable netlogin dot1x mac
    configure netlogin mac authentication database-order radius
    configure netlogin authentication protocol-order dot1x mac web-based
    configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
    enable netlogin ports 1-46 dot1x
    enable netlogin ports 1-46 mac
    configure netlogin dot1x ports 1-46 timers quiet-period 5

    configure netlogin dot1x ports 47 timers reauth-period 30 reauth-max 4 - uplink (interswitch)
    configure netlogin dot1x ports 48 timers reauth-period 30 reauth-max 4 - uplink (interswitch)
    enable netlogin reauthenticate-on-refresh
    configure netlogin session-refresh 30
    configure netlogin allowed-refresh-failures 5
    configure netlogin mac ports 1 timers reauthentication on

    configure netlogin idle-timeout dot1x 0
    configure netlogin idle-timeout web-based 0
    configure netlogin idle-timeout mac 0
    configure netlogin port 47 authentication mode optional
    configure netlogin port 48 authentication mode optional

    OTHER conf

    enable radius
    enable radius mgmt-access
    enable radius netlogin
    enable radius-accounting
    enable radius-accounting mgmt-access
    enable radius-accounting netlogin
    enable log target syslog "IP":514 vr VR-Mgmt local4
    enable log target syslog "IP":514 vr VR-Default local4
    enable ssh2
    enable netlogin dot1x mac
    enable netlogin ports 1-46 dot1x
    enable netlogin ports 1-46 mac
    enable netlogin reauthenticate-on-refresh
    enable stpd s0

    Also i can not enable one option:

    configure netlogin port (port number/range) mode mac-based-vlans

    becouse after port (port number/range) there is no "mode" option

    regards
    Marek


  • 5.  RE: Multisession on single port problem

    Posted 03-17-2017 05:49


  • 6.  RE: Multisession on single port problem

    Posted 03-17-2017 05:49
    it aint that... i read it already but my problem is different


  • 7.  RE: Multisession on single port problem

    Posted 03-17-2017 21:15
    Hello Marek,

    you have a G2 with software >=21 so you can choose between to different
    versions of netlogin. The old one from EXOS or the even older one from EOS
    which is implemented in version 16 and 21 on G2 hardware.

    The EXOS can do dot1x and mac auth with multiple host one the same port.
    There's single vlan and a multi vlan model. It's configured like this:

    !aaa
    configure radius primary server 10.0.0.1 client-ip 10.1.1.2 vr "VR-Default" shared-secret geheim
    enable radius netlogin

    !create a dummy vlan and attach it do the netlogin process
    create vlan ZNETLOGIN_DUMMY
    configure netlogin vlan "ZNETLOGIN_DUMMY"

    !enable netlogin globally
    enable netlogin mac dot1x

    !enable netlogin per port
    enable netlogin port 5 mac dot1x

    !do mac-auth for all mac-addresses
    configure netlogin add mac-list default

    !test it and look for sessions:
    show netlogin [port 5][/code]And the new (EOS) way....

    [/code]!switch to policy mode (this make the world great again!)
    enable policy

    !mode optional on all ports
    configure netlogin ports all authentication mode optional

    !enable netlogin globally and per port
    enable netlogin mac dot1x
    enable netlogin por 5 mac dot1x

    !do mac-auth for all mac-addresses
    configure netlogin add mac-list default

    !test it and look for sessions:
    show netlogin sessions[/code]classic netlogin vs. policy mode:

    In policy mode you can authenticate and authorize each mac on a port
    individually. Mac-authentication and dot1x run simultaneously and
    the better method wins:

    Authentication Protocol Order: 802.1x, web-based, mac-based (default)

    So one protocol is sufficient to get an valid netlogin session.

    For each port EOS has four different configuration how packets are
    handled:

    - Forced Authorized: netlogin disabled, packets always forwarded
    - Forced UnAuthorized: netlogin disabled, packets always dropped
    - Authentication Required: netlogin enable, unauthenticated packets
    dropped
    - Authentication Optional (with optional Policy/Filterlist):
    netlogin enabled, unauthenticated packets forwarded

    EXOS implements only Required and Optional. You can disable netlogin
    per port to get the 'forced' modes. See the policy course for
    more detailed information...



  • 8.  RE: Multisession on single port problem

    Posted 03-17-2017 21:36
    Hello Marek,

    now your problem. It seems you used commands from both concepts. But your configuration
    works. You see the session.

    The missing ip in EAC is something totally different. After a successfull authentication
    the EAC waits 10 second to start the resolving process. If it fails it waits 60 seconds, tries
    again, waits 60 seconds and tries again. So after 2:10 it stopps the process and you
    get 'ip resulution failed'.

    There are about 5 ways to fix this:
    1. update to EXOS 22.2 and EMC/EAC 7.1 and enable nodealias
    2. forward dhcp packet from every router in every vlan to one or two EACE
    3. configure an ip address in every vlan in the switch
    4. tell EAC the default gateway for the vlan/switch combination
    5. ...
    1 works always, 2 only with dhcp clients, 3 should work, 4 works only with one vlan
    per switch, ....

    In your case turn off the printer, plug it into the mini switch, and turn it on again. It
    should work. If not enable endsystem diagnostics in the EACE.

    See Extreme Access Control course for more information...