Mac Authentication, Dynamic VLANs and Silent Devices

  • 1
  • 1
  • Question
  • Updated 4 months ago
  • Answered
Hi,

if dynamic VLAN assignment is used together with MAC authentication, so called silent devices pose a problem.

A silent device in this context is any end system that does not regularly send data. This results in both the MAC address and authentication session timing out sooner or later. Because the device's VLAN was assigned dynamically, with the end of the authentication session the VLAN is removed from the port. Thus the device is no longer reachable, because no frame, not even the ARP broadcast (or ND multicast) searching for the device's MAC will reach the device.

Common examples are printers, card readers, or even small 4 port switches installed in cable channels. Devices that are switched off but react to wake-on-LAN (WoL) packets fall into this categorie, too.

I know of two common strategies to handle those devices:
  1. Add the device's VLAN as untagged to the port's VLAN egress list
  2. Regularly contact the device so that neither MAC nor authentication time out
Method number one works fine on EOS devices, but is not available on all EXOS devices. At least some BroadCom FASTPATH based devices support this as well, but I haven't checked the Extreme 200 series yet.

EXOS devices with OnePolicy support can use a policy to add untagged VLANs to the egress list of the port (this works on EOS as well).

A variant of the first method can be used with EXOS for wake-on-LAN devices, by using a UDP profile that moves WoL packets to a VLAN configured statically on the port (see e.g. How to Allow Wake on LAN Magic Packets to be forwarded across vlans in EXOS). This works for UDP packets only, not for ARP or ND and thus cannot be used as a general silent device solution.

The second method can be implemented with EXOS switches, if the ARP timer is set low enough to expire before MAC and authentication session expire, and using ARP refresh (on by default).

Another method is to add the device to some monitoring software. Ping monitoring with a high enough frequency (not less than once inside the MAC and authentication timeout periods) suffices. This can be done with Extreme Management Center (EMC licensing depends on the number of monitored device). Open-Source software (e.g. Nagios or Icinga) can be used as well.

I have seen all of the above strategies used with success. Can anyone add additional methods to the list?

Thanks,
Erik
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,886 Points 10k badge 2x thumb

Posted 10 months ago

  • 1
  • 1
Photo of Bernhard Gruenwald

Bernhard Gruenwald

  • 250 Points 250 badge 2x thumb

Hello,
I solved this problem with following method:

Added the silent devices in a device group (NAC).
Changed the radius response to default value plus CUSTOM%
Added in policy profile the custom field to idle-timeout=0

So if the silent device connects to the switch port this port is configured with no idle-timeout and will be not disconnected to global timeout value.

Bernhard

Photo of M.Nees

M.Nees, Embassador

  • 9,262 Points 5k badge 2x thumb
i use this method too!

I disable session timeout globally if i have no 4- or 8-port Desktop switches. I have never trouble with this.

Regards
(Edited)
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,850 Points 10k badge 2x thumb
I see a possible problem if the switch is rebooted (firmware update, power outage, ...) and the device does not send any data on link down/up events (it is a silent device...).

Thanks,
Erik
Photo of M.Nees

M.Nees, Embassador

  • 9,262 Points 5k badge 2x thumb
If your device is realy so silenct i would not enable authentication in this case.

Otherwise a client normally react to a port link up with some packets. In my projects i also see that EXOS need more than one packet to authentication (unfortunately i do not know the cause) - EOS is much quicker in this case.

Maybe in EXOS environment you can work with a autoexec script or UPM Script to trigger some reaction from this silent device at switch start or restart.

If you want to automate VLAN assignment only you can also work with MAC-to-VLAN-mapping or may also a UPM without authentication for VLAN assignment.

Regards,
Matthias
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,850 Points 10k badge 2x thumb
Hi Matthias,

I personally prefer static VLAN configuration for silent devices, but this increases management overhead especially in a fiber to the office (FTTO) environment. Thus some customers really want to use dynamic VLAN assignment for all end systems (except servers in the data center).

The problem with MAC authentication is that the device is not involved in this at all. With 802.1X the device knows it needs to authenticate to use the network and thus is no longer silent.

As long as some devices are silent (static IP address, thus no DHCP; no auto discovery messages; no 802.1X; and so on) and need to be used with MAC authentication, this will be a common problem for many networks where centralized, dynamic configuration mechanisms via EMC and EAC are deployed.

Thanks,
Erik
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,850 Points 10k badge 2x thumb
To expand on this thought, dynamic VLAN assignment assumes the device (end system) connected to the network actively maintains the network connection by either:
  1. Using .1X and negotiating network access
  2. Sending data into the network whenever network access for the end system is required
The problem with dynamic VLAN assignment with MAC authentication for silent devices that are supposed to provide network services is that they wait to receive data from the network, but due to timed-out dynamic VLAN assignment said data never reaches the end system (e.g. a printer).

The common client devices that do not provide network services, but rather initiate network connections to some kind of server (which may include a silent device, perhaps inderectly via a print server), work fine with MAC authentication and dynamic VLAN assignment.

IMHO, MAC authentication with dynamic VLAN assignment is not a complete solution, but rather a 95% solution that mostly works, but sometimes creates problems that cannot be solved generically, because implicit requirements are not fulfilled.

Thanks,
Erik
Photo of M.Nees

M.Nees, Embassador

  • 9,262 Points 5k badge 2x thumb
On EXOS G1 Switches (non policy enabled switches) i use this:

configure netlogin ports [port_list | all] allow egress-traffic [none | unicast | broadcast | all_cast]

so although the session maybe timed-out the packet that should trigger re-auth was delivered. The  or one vlan must configured manually on such ports.
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,850 Points 10k badge 2x thumb
Hi Matthias,

but this only works if the device VLAN is configured on the port, right? Otherwise, i.e. with a dummy netlogin VLAN and dynamic VLANs this does not work, or does it?

Thanks,
Erik
Photo of M.Nees

M.Nees, Embassador

  • 9,262 Points 5k badge 2x thumb
You are right - one VLAN have to be assigned that egress the magic packet or trigger packet can arrive at the device.
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 12,806 Points 10k badge 2x thumb
other ways that I use:

- netlogin port restart: when a mac ages out, automatically trigger a disable/enable of the port to make it speak again. I have seen some green printers considering a quick flap like that is not worth going out of economy/sleep mode. Otherwise, it does the job.

- mac-lockdown timeout: allows you to set the age time per port. That way, I set it slightly above the DHCP lease timer, so I'm sure at least DHCP will generate enough traffic to keep it up. Of course, if the port goes down, mac is removed immediately.

configure mac-lockdown-timeout ports [all | port_list] aging-time seconds
enable mac-lockdown-timeout ports [all | port_list]

- scripting, of course: UPM could trigger a script with that EMS event "nl.ClientAgeOut" to do whatever is needed on that port. Not working with netlogin port restart.
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,886 Points 10k badge 2x thumb
Thanks for sharing that information! :-)
Photo of Bin

Bin, Employee

  • 5,350 Points 5k badge 2x thumb