dot1x authentication

  • 0
  • 1
  • Question
  • Updated 5 years ago
Create Date: Oct 13 2012 3:04AM

Hello All,

We are in the process of migrating from old EW based switches to XOS based ones at our corporate office. On the old EW switches, I had dot1x (netlogin) working wherein I would have a port manually assigned to a VLAN and netlogin enabled for it. My Radius server would authenticate on the basis of computer/user name and would return no VSA or vlan tag. So once authenticated, the client would belong to the vlan the port was originally assigned to. This I guess is ISP mode operation.

On our new XOS based switches, I see that you need to assign a netlogin vlan to even enable the dot1x feature. Although the extreme documentation is detailed, I am trying to see how to get this to work for my scenario. I have a summit stack of around 4-5 nodes with localized vlans on each node. I dont use a dedicated mgmt vlan but an ip from one of these vlans for switch mgmt. This would be the Radius client ip.

I have a floor migration this weekend . Any help would be most appreciated. Tks again.

(from Anush_Santhanam)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb

Posted 5 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Oct 16 2012 6:02AM

Hello All,

I thankfully managed to get this working. Ideally, you would want your Radius to return the appropriate VSA for placing a port in the necessary VLAN. But as indicated I am only trying to get ISP mode to work so I statically assigned the port to the necessary vlan and added the dot1x authentication feature and it worked.

On a slightly unrelated note, I can see from the documentation that ELRP is not supported with Netlogin. Is this correct. For the edge loop prevention, I am guessing that netlogin would in a way handle that as well and I can possibly set a mac learning limit. Can you please advise. Tks.

(from Anush_Santhanam)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Oct 16 2012 7:49AM

Hi Excalibur,

I recommend using STP on the edge with netlogin.  What I have done at some customers is create a dummy vlan only for STP and then add that to all of my edge ports.  Then enable BPDU restrict and edge-safeguard on every edge port as well.

I have tested this and it works.  I like it better than ELRP.  If you're using ELRP and someone creates a loop between 2 switches you run the risk of the uplink port being disabled on one of the switches.  STP with BPDU-restrict and edge-safeguard means that the port is administratively disabled once it receives a single BPDU.  The admin must then login to the switch and reenable the port.

If you're trying to protect users from creating loops at the edge then mac-limit-learning won't help.  That won't prevent loops of unknown unicast packets.  You really do need something like STP or ELRP at the edge to prevent loops.

Thanks,
Andrew

(from Andrew_McConachie)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Oct 20 2012 7:40PM

Hello Andrew,

Thank you so much for taking the time. This is an excellent suggestion and one that I have also used. I should have been a bit clearer. Sorry for that. One of the biggest problems in my environment relates to the uncontrolled use of hubs and possibility of loops through them (edge ports). I can see the edge safeguard and bpdu restrict helping with problems that switches can cause. How about hubs. One clarification. When you setup the dummy vlan would you setup the edge ports as tagged for that vlan. The reason i ask this is because the edge ports will be configured for the necessary data/voice vlans anyway. Tks.

(from Anush_Santhanam)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 15 2013 1:29PM

Hey Andrew,

How did you do that? Could you please post the commands here if you don't mind?
Does it look something like this:

create stpd stp-test
conf stp-test mode dot1d
conf stp-test add vlan <tagged-vlan-name> ports 1-24 emistp
conf stp-test ports link-type edge 1-24
conf stp-test ports edge-safeguard enable 1-24 bpdu-restrict
conf stp-test tag <vlan-tag>
en stp-test

Thanks!

(from Shashank_S Kumar)

This conversation is no longer open for comments or replies.