802.1x not working on virtual EXOS ?

  • 0
  • 1
  • Problem
  • Updated 2 years ago
  • Solved
hi,

i try to make a model of network, because i need to implement in my traineeship a 802.1x for a customer who have 20 x460 switch.

note:
the radius server is a NPS of a Windows 2012 r2
auth protocol: PEAPv0

i have try with Virtual EXOS to implement a test of configuration but i don't understand why i'm not detect any outbound packet of the switch whereas i detect correctly a ping from the switch to the Windows server or the opposite.

i have read "Virtual EXOS installations are not officially supported by GTAC and not all features and functions are implemented." but there are no details ...

Someone can confirm the support of the 802.1x by the VM and/or have a idea to correct the problem ?

Thank you
Photo of Stefaniak Fabien

Stefaniak Fabien

  • 90 Points 75 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of OscarK

OscarK, ESE

  • 7,912 Points 5k badge 2x thumb
The EXOS VM does support dot1x as far as I know, the problem is the vSwitch (or switch emulation) that your esx host or virtual box PC is probably not passing peap from the switch port to the client. 
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,216 Points 2k badge 2x thumb
Hi Fabien, I've got dot1x in my virtual exos and I'm also using w2k12 r2 NPS as radius server for the authentication...and is working...
My NPS policy is defined as:



And my virtual switch configuration is:
This is the virtual switch config:
#
# Module devmgr configuration.
#
configure snmp sysName "xos2"
configure snmp sysLocation "Ravenna"
configure snmp sysContact "administrator@demo.com"
configure sys-recovery-level switch reset

#
# Module vlan configuration.
#
configure vlan default delete ports all
configure vr VR-Default delete ports 1-4
configure vr VR-Default add ports 1-4
configure vlan default delete ports 1-4
create vlan "authvlan"
configure vlan authvlan tag 7
create vlan "nvlan"
create vlan "vlan10"
configure vlan vlan10 description "VLAN_192.168.10.0"
configure vlan vlan10 tag 10
create vlan "VLAN11"
configure vlan VLAN11 description "VLAN_192.168.11.0"
configure vlan VLAN11 tag 11
create vlan "VLAN12"
configure vlan VLAN12 description "VLAN_192.168.12.0"
configure vlan VLAN12 tag 12
configure vlan vlan10 add ports 1-4 untagged
configure vlan VLAN11 add ports 1-4 tagged
configure vlan VLAN12 add ports 1-4 tagged
configure vlan vlan10 ipaddress 192.168.10.97 255.255.255.0
configure vlan authvlan ipaddress 192.168.7.1 255.255.255.0

#
# Module mcmgr configuration.
#

#
# Module otm configuration.
#

#
# Module fdb configuration.
#

#
# Module rtmgr configuration.
#
configure iproute add default 192.168.10.1

#
# Module policy configuration.
#

#
# Module aaa configuration.
#
configure radius netlogin 1 server 192.168.10.98 1812 client-ip 192.168.10.97 vr VR-Default
configure radius 1 shared-secret encrypted "#$AwtxJWrBfk+4ouz/R41W0w4635+lRrsgdXJIdK51"
configure radius-accounting netlogin 1 server 192.168.10.98 1813 client-ip 192.168.10.97 vr VR-Default
configure radius-accounting 1 shared-secret encrypted "#$6+vQhdqYjUr479W6+BKAUCDjZUWLNug20Ab3kCNv"
configure radius-accounting 1 timeout 10
enable radius
disable radius mgmt-access
enable radius netlogin
configure radius timeout 15
enable radius-accounting
disable radius-accounting mgmt-access
enable radius-accounting netlogin
configure account admin encrypted "$5$Wk9qOc$sOap7lmStqNpgqSvfGCBZO/U/hY1V9.5NwtojdL5uq6"

#
# Module acl configuration.
#

#
# Module bfd configuration.
#

#
# Module bgp configuration.
#

#
# Module cfgmgr configuration.
#

#
# Module dosprotect configuration.
#
enable dos-protect

#
# Module dot1ag configuration.
#

#
# Module eaps configuration.
#

#
# Module edp configuration.
#
configure cdp device-id 00:50:56:81:14:E7

#
# Module elrp configuration.
#
enable elrp-client
configure elrp-client periodic vlan10 ports all interval 1 log-and-trap disable-port ingress duration 60
configure elrp-client periodic VLAN11 ports all interval 1 log-and-trap disable-port ingress duration 60
configure elrp-client periodic VLAN12 ports all interval 1 log-and-trap disable-port ingress duration 60
configure elrp-client disable-port exclude 1

#
# Module ems configuration.
#

#
# Module epm configuration.
#

#
# Module erps configuration.
#

#
# Module esrp configuration.
#

#
# Module etmon configuration.
#

#
# Module exsshd configuration.
#
enable ssh2

#
# Module hal configuration.
#
configure ports 1 debounce time 0
configure ports 2 debounce time 0
configure ports 3 debounce time 0
configure ports 4 debounce time 0

#
# Module idMgr configuration.
#
configure identity-management kerberos snooping aging time 300
enable identity-management
configure identity-management add ports 2-4
configure identity-management kerberos snooping add server 192.168.10.1

#
# Module ipSecurity configuration.
#

#
# Module isis configuration.
#

#
# Module lldp configuration.
#

#
# Module mpls configuration.
#

#
# Module mrp configuration.
#

#
# Module msdp configuration.
#

#
# Module netLogin configuration.
#
configure netlogin vlan authvlan
enable netlogin dot1x mac web-based
configure netlogin authentication protocol-order mac dot1x web-based
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted "}eqrt7ug" ports 2-3
enable netlogin ports 2-3 dot1x
enable netlogin ports 3 mac
enable netlogin ports 4 web-based
configure netlogin base-url "webauth.demo.com"
configure netlogin redirect-page "https://www.google.com"
configure netlogin ports 2 mode port-based-vlans
configure netlogin ports 2 no-restart
configure netlogin ports 3 mode mac-based-vlans
configure netlogin ports 3 no-restart
configure netlogin ports 4 mode mac-based-vlans
configure netlogin ports 4 no-restart
configure netlogin session-refresh 3600

#
# Module netTools configuration.
#
configure dns-client add name-server 192.168.10.1 vr VR-Default
configure dns-client add domain-suffix demo.com
configure bootprelay add 192.168.10.1 vr VR-Default
configure bootprelay dhcp-agent information option vr VR-Default
configure bootprelay dhcp-agent information check vr VR-Default
enable bootprelay ipv4 vlan VLAN11
enable bootprelay ipv4 vlan VLAN12
configure bootprelay vlan VLAN11 add 192.168.10.1
configure bootprelay vlan VLAN11 dhcp-agent information option on
configure bootprelay vlan VLAN11 dhcp-agent information check on
configure bootprelay vlan VLAN12 add 192.168.10.1
configure bootprelay vlan VLAN12 dhcp-agent information option on
configure bootprelay vlan VLAN12 dhcp-agent information check on
configure vlan authvlan dhcp-address-range 192.168.7.20 - 192.168.7.80
configure vlan authvlan dhcp-options default-gateway 192.168.7.1

#
# Module ntp configuration.
#
enable ntp
configure ntp server add 192.168.10.1

#
# Module openflow configuration.
#

#
# Module ospf configuration.
#

#
# Module ospfv3 configuration.
#
configure ospfv3 spf-hold-time 10

#
# Module pim configuration.
#

#
# Module poe configuration.
#

#
# Module rip configuration.
#

#
# Module ripng configuration.
#

#
# Module snmpMaster configuration.
#
configure snmpv3 delete group "v1v2c_ro" user "v1v2c_ro" sec-model snmpv1
configure snmpv3 delete group "v1v2c_rw" user "v1v2c_rw" sec-model snmpv1
configure snmpv3 delete group "v1v2c_ro" user "v1v2c_ro" sec-model snmpv2c
configure snmpv3 delete group "v1v2c_rw" user "v1v2c_rw" sec-model snmpv2c
configure snmpv3 delete group "admin" user "admin" sec-model usm
configure snmpv3 delete group "initial" user "initial" sec-model usm
configure snmpv3 delete group "initial" user "initialmd5" sec-model usm
configure snmpv3 delete group "initial" user "initialsha" sec-model usm
configure snmpv3 delete group "initial" user "initialmd5Priv" sec-model usm
configure snmpv3 delete group "initial" user "initialshaPriv" sec-model usm
configure snmpv3 delete access "admin" sec-model usm sec-level priv
configure snmpv3 delete access "initial" sec-model usm sec-level noauth
configure snmpv3 delete access "initial" sec-model usm sec-level authnopriv
configure snmpv3 delete access "v1v2c_ro" sec-model snmpv1 sec-level noauth
configure snmpv3 delete access "v1v2c_ro" sec-model snmpv2c sec-level noauth
configure snmpv3 delete access "v1v2c_rw" sec-model snmpv1 sec-level noauth
configure snmpv3 delete access "v1v2c_rw" sec-model snmpv2c sec-level noauth
configure snmpv3 delete access "v1v2cNotifyGroup" sec-model snmpv1 sec-level noauth
configure snmpv3 delete access "v1v2cNotifyGroup" sec-model snmpv2c sec-level noauth
configure snmpv3 delete mib-view "defaultUserView" subtree 1.0
configure snmpv3 delete mib-view "defaultUserView" subtree 1.3.6.1.6.3.16
configure snmpv3 delete mib-view "defaultUserView" subtree 1.3.6.1.6.3.18
configure snmpv3 delete mib-view "defaultUserView" subtree 1.3.6.1.6.3.15.1.2.2.1.4
configure snmpv3 delete mib-view "defaultUserView" subtree 1.3.6.1.6.3.15.1.2.2.1.6
configure snmpv3 delete mib-view "defaultUserView" subtree 1.3.6.1.6.3.15.1.2.2.1.9
configure snmpv3 delete mib-view "defaultNotifyView" subtree 1.0
configure snmpv3 delete community "private"
configure snmpv3 delete community "public"
configure snmpv3 add user "snmpv3AdminUser" engine-id 80:00:07:7c:00:50:56:81:89:f1 authentication sha auth-encrypted localized-key 4d:76:23:fb:23:fd:23:1f:23:8d:71:23:bc:23:0e:23:86:2d:23:a5:23:f8:23:c2:4c:23:18:41:23:eb:32:23:a5 privacy aes 128 privacy-encrypted localized-key 23:f2:23:c9:23:86:5e:23:eb:23:9c:6a:59:61:23:fa:7b:3e:64:23:94:23:22:39
configure snmpv3 add group "v3group" user "snmpv3AdminUser" sec-model usm
configure snmpv3 add access "v3group" sec-model usm sec-level priv read-view "defaultAdminView" write-view "defaultAdminView" notify-view "defaultAdminView"
configure snmpv3 add target-addr "TVsnmpuser" param "TV1snmpuser" ipaddress 172.29.151.100 transport-port 162 tag-list "TVInformTag"
configure snmpv3 add target-addr "TVsnmpuser!" param "TV1snmpuser" ipaddress 192.168.10.100 transport-port 162 tag-list "TVInformTag"
configure snmpv3 add target-addr "TVsnmpv3AdminUser" param "TV1snmpv3AdminUser" ipaddress 192.168.10.100 transport-port 162 tag-list "TVInformTag"
configure snmpv3 add target-params "TV1snmpuser" user "snmpuser" mp-model snmpv3 sec-model usm sec-level priv
configure snmpv3 add target-params "TV1snmpv3AdminUser" user "snmpv3AdminUser" mp-model snmpv3 sec-model usm sec-level priv
configure snmpv3 add notify "TVInformTag" tag "TVInformTag" type inform
disable snmp access snmp-v1v2c
disable snmpv3 default-group
disable snmpv3 default-user

#
# Module stp configuration.
#
configure mstp region 0050568114e7

#
# Module techSupport configuration.
#
configure tech-support collector 12.38.14.200 tcp-port 800 ssl off

#
# Module telnetd configuration.
#

#
# Module tftpd configuration.
#

#
# Module thttpd configuration.
#
enable web https
configure ssl certificate hash-algorithm sha256

#
# Module twamp configuration.
#

#
# Module vmt configuration.
#

#
# Module vrrp configuration.
#

#
# Module vsm configuration.
#

#
# Module xmlc configuration.
#
create xml-notification target ExtremeControlCenter url https://192.168.10.100:8443/fusion_jb... vr VR-Default
configure xml-notification target ExtremeControlCenter user root encrypted-auth cm9vdDpwYXNzd29yZA==
enable xml-notification ExtremeControlCenter
configure xml-notification target ExtremeControlCenter add idMgr

After login with a user dot1q, I've got:

Photo of Stefaniak Fabien

Stefaniak Fabien

  • 90 Points 75 badge 2x thumb
thank for your reply, sorry for to be not reactive but this project was pending ...

i have advance on this model but i have mac address error with the Active Directory Server. Did you use also Virtual Box or what is VM environment ?
(Edited)
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,216 Points 2k badge 2x thumb
Hi, my hypervisor is vmware ESX 5.5 and the vswitch where AD is connected is configured as follow:
Photo of Stefaniak Fabien

Stefaniak Fabien

  • 90 Points 75 badge 2x thumb
ok
thank you