Using vlanauthorization RFC3580 on x460G2 and policy.

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
I have several x460G2 switches that refuse to put ports in the correct vlan using RFC3580.  I have NAC sending back VLAN ID and Extreme Policy.  vlanauthorization is enabled globally, and on the ports.  I am running version 22 of code.  I use this to automatically put cameras, wireless APs, printers etc.. in to the correct VLAN.  Everything works fine on the S4, B5, C5, A4 series switches.  It's just the x460s that DONT work.

Any ideas? 
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
Also... I can see that it is sending the vlan (tunnel attribute) 1001.  Vlan 1001 is AdminComputer VLAN.

Port            : 7:48        Station address   : c4:34:6b:5e:78:7d             Auth status     : success     Last attempt      : Mon Dec 12 14:56:50 2016      
Agent type      : dot1x       Session applied   : true
Server type     : radius      VLAN-Tunnel-Attr  : 1001
Policy index    : 9           Policy name       : Admin_Computers (active)
Session timeout : 0           Session duration  : 0:10:04                       
Idle timeout    : 300         Idle time         : 0:00:45                       
Termination time: Not Terminated
(Edited)
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
This is a working B5 using rfc3580 vlanauth


Here is the same command run (just on the one port I am testing on the 460 G2)
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
Well, this fixed it:
    configure netlogin ports 7:48 authentication mode required
However, I believe with this setting, if AUTH fails, all packets are discarded.  I would prefer this NOT to happen.  I believe you can't use a default role when you set authentication up this way.
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
Spoke too soon.. It doesn't work.  This has got to be a bug in the code as the Enterasys stuff just works.
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
configure policy maptable response both

Thought I had it set... nope.  Will test in the AM.
(Edited)
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,782 Points 10k badge 2x thumb
Hi Jeremy,

you need to explicitly enable your authentication method both globally and on the ports. If you are using MAC auth, you need to configure netlogin add mac-list default. If auth-optional works or not might depend on the firmware version, see https://gtacknowledge.extremenetworks.com/articles/Solution/Port-not-properly-passing-traffic-after-....

Erik
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
Yeah, I did.  I forgot the conf policy maptable response both.  I am use to enabling it on enterasys via set policy maptable response both, however, forgot about it on XOS.  It just doesn't show up under show policy vlanauthorization.  It shows vlan ID as none.
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
Got it working.... But the command show policy vlanauth port 7:48 doesn't show that it's doing anything.  Although, I can see 1001 untagged on the port.