Multi Devices Authentication

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Hi,

Is Summit and/or BlackDiamond support multi devices authentication on single port? I mean that authentication status and policy will be applied exclusively per device, so a device may be authenticated whether the others may be not even they are connected to the same port. I find that way on Brocade (Foundry) device which is MAC address based authentication but I'm no sure Extreme net login has same behavior.

Best regards,
Photo of Mrxlazuardin

Mrxlazuardin

  • 1,454 Points 1k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Bill Stritzinger

Bill Stritzinger, Alum

  • 6,016 Points 5k badge 2x thumb
Hello, 

Yes, XOS does support multi-supplicant per port as does the example you cite.  It does it the same way by the authenticated mac address.

Bill
Photo of Mrxlazuardin

Mrxlazuardin

  • 1,454 Points 1k badge 2x thumb
Hi Bill,

Do you mean net login? As long as I know, net login using OR policy, so if one device has been authenticated, all other devices connected to same port can forward the traffic through that port even without authentication. What I'm looking is mutually exclusive authentication of devices, so only authenticated device can forward the traffic through that port like authentication on wireless access point. May be some example case will be useful.

Best regards,
Photo of Bill Stritzinger

Bill Stritzinger, Alum

  • 6,016 Points 5k badge 2x thumb
Hello,

In XOS, like with others with netlogin or policy enabled, each device has to authenticate separately in order to pass traffic.  It will not, just by the authentication of one device per port, allow traffic to pass for any other device.  A good example of this would be a access point where there are a large # of devices aggregated into a single port.

Bill
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Mrxlazuardin,

If you have multiple supplicants in a port that use untagged traffic, you have to enable MAC-Based VLANs in that port (see EXOS User Guide, page 831).

In that case, each individual MAC is assigned to a VLAN when authenticated in the port. Traffic from unauthenticated MACs is not forwarded.
Photo of Mrxlazuardin

Mrxlazuardin

  • 1,454 Points 1k badge 2x thumb
Hi Daniel,

I'm confused with your and Bill statement if comparing with following statement from Mutiple Supplicant Support of ExtremeXOS 15.7 User Guide (page 798).

"A port's authentication state is the logical “OR” of the individual MAC's authentication states. In other words, a port is authenticated if any of its connected clients is authenticated."

Can you explain more about the different?

Best regards,
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Mrxlazuardin,

In Network login, a supplicant gets identified as being learned on a specific VLAN and Port combination (we call this a virtual port). Each virtual port can hold one or more supplicants, each one of which has its own state.

With network login MAC-based operation, every authenticated client has an additional FDB flag that
indicates a translation MAC address. To view network login-related FDB entries, use the following command:

show fdb netlogin [all | mac-based-vlans]

The following is sample output from the show fdb netlogin mac-based-vlans command:

Mac               Vlan        Age  Use  Flags Port List
------------------------------------------------------------------------
00:04:96:10:51:80 VLONE(0021) 0086 0000 n m v 1:11
00:04:96:10:51:81 VLTWO(0051) 0100 0000 n m v 1:11
00:04:96:10:51:91 VLTWO(0051) 0100 0000 n m v 1:11
Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC,
i - IP, x - IPX, l - lockdown MAC, M - Mirror, B - Egress Blackhole,
b - Ingress Blackhole, v - NetLogin MAC-Based VLAN.

The flags associated with network login include:
• v—Indicates the FDB entry was added because the port is part of a MAC-based virtual port/VLAN
combination.
• n—Indicates the FDB entry was added by network login.
Photo of Mrxlazuardin

Mrxlazuardin

  • 1,454 Points 1k badge 2x thumb
Hi Daniel,

Is there any limitation should be concerned on implementation of this feature (ex. maximum MAC per port/vlan)?

Best regards,
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Yes. 1,024 MAC addresses per switch. There's no specific limitation for ports or vlans.
Photo of Mrxlazuardin

Mrxlazuardin

  • 1,454 Points 1k badge 2x thumb
Hi Daniel,

Where can I find the official documentation of 1024 MAC address per switch limitation? As I know on datasheet, BlackDiamond support at least 8K MAC address on FDB per interface module and Summit X440 support 16K.

Best regards,
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
It's in the Limits section of the Release Notes.

The figure you mention is the number of MAC addresses supported by the FDB. The number I mentioned is specific to MAC addresses in Network login with the MAC-based vlans feature.
Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb
Is there a documentation / slide deck, which describes the differences between Enterasys and Extreme Switches? In sort of capabilities, handling of RADIUS Server down events, ...

Regards
Michael
Photo of Mrxlazuardin

Mrxlazuardin

  • 1,454 Points 1k badge 2x thumb
Hi Daniel,

Is there any documentation of authenticated MAC address limitation, Summit and BlackDIamond?

So, what is the meaning of "OR" of statement on page 798? I mean related to this conversation.

Best regards,