XOS - 802.1X AP but bypass bridge@AP clients

  • 0
  • 2
  • Question
  • Updated 2 years ago
  • Answered
Hi,

is it possible to authenticate the AP via 802.1X PEAP on the switchport but bypass/disable the authentication for the bridge@AP clients that are connected to the AP.

Could you please tell me the configuration steps on the XOS or other ideas for this scenario.

Thanks,
Ron
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 50,004 Points 50k badge 2x thumb

Posted 2 years ago

  • 0
  • 2
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
There may be an easier way to do this, but if you want the AP to authenticate (using DOT1X first) and then open up the port to other clients that do not have DOT1X authentication as an option, in the past I've used UPM scripting to do something like this. When the AP is authenticated, the authentication UPM script for that AP enables MAC authentication on the port when the AP authenticates and there are masks configured for MACs in the NETLOGIN config and a general set of MAC entries in the RADIUS users DB to authenticate any MAC. The UPM script which would run when the AP is unauthenticated would disable MAC authentication on the port, but preserve DOT1X.

I could write up a configuration for a lab if you have one, otherwise I would have to build a lab to test this scenario and it could take some time.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 49,380 Points 20k badge 2x thumb
It would be great if you'd write a document/article about it so also other users/customers could use it as a reference how to achieve this function.

Thanks,
Ron
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
So here is the explanation:

The AP uses netlogin/802.1x to authenticate to a port. 

The VSA passed by the radius server contains the name of a UPM profile which then runs. 


The UPM profile that runs enables MAC authentication on that port.


Netlogin for mac authentication is configured with a mac-list such that all user/password credentials are passed through to the authentication server (either the radius server or the local authentication database) as the same either (000000000000 / pass or 8000000000000 pass).


The authentication database has an entry for the acceptance of either of these.


When the AP is un-authenticated (e.g. it is disconnected) a UPM profile is run that disables mac authentication for that port.


Here is the configuration which uses the local database for the mac authentication but, obviously, radius for dot1x:


config vlan default del port all 
create vlan users


create vlan nl
config netlogin vlan nl
enable netlogin dot1x mac
enable netlogin port 1-48 dot1x
config netlogin add mac-list 80:00:00:00:00:00 1 password pass
config netlogin add mac-list 00:00:00:00:00:00 1 password pass
create netlogin local-user "000000000000" pass
create netlogin local-user "800000000000" pass

config netlogin mac authentication database-order local
config netlogin authentication protocol-order mac dot1x web-based
config radius netlogin primary server 192.168.62.200 client-ip 192.168.62.201 vr vr-mgmt shared-secret radpass
enable radius netlogin


create upm profile apin
  enable netlogin port $(EVENT.USER_PORT) mac
.
create upm profile apout
  disable netlogin port $(EVENT.USER_PORT) mac
.


config upm event user-authenticate profile "apin" port 1-48
config upm event user-unauthenticate profile "apout" port 1-48


# From the Radius users file:


apuname    Auth-Type := EAP, Cleartext-Password := "appass"
        Extreme-Security-Profile = "apin QOS=QP1;LOGOFF-PROFILE=apout;",
        Extreme-Netlogin-Extended-Vlan = "Uusers"



Complexity is added where you want the B@AP traffic to access other VLANs than the one the AP is in at the switch port. If you do, then you'll need the UPM script to have something like this:


config vlan user1 add port $(EVENT.USER_PORT) tagged
config vlan user2 add port $(EVENT.USER_PORT) tagged

....etc...

and the un-authenticate upm script will need to do the opposite

config vlan user1 delete port $(EVENT.USER_PORT)
config vlan user2 delete port $(EVENT.USER_PORT)

....etc...


Is there any chance that you can test this in a lab?

--Matt
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
I should have added that the other VLANs will need to be tagged and this is not a configuration that works in conjunction with policy.
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
(policy at the switch, that is. It is compatible with policy at the AP.)
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
I did some testing. If you add the other VLANs that are on the AP to the ports tagged you don't have to do so in the UPM profiles.

The UPM profiles do need to be modified slightly to work regardless:

create upm profile api
config netlogin port $(EVENT.USER_PORT) allow egress-traffic all
enable netlogin port $(EVENT.USER_PORT) mac dot1x

.
create upm profile apout
config netlogin port $(EVENT.USER_PORT) allow egress-traffic none
disable netlogin port $(EVENT.USER_PORT) mac

.

Hope this helps.
Photo of OscarK

OscarK, ESE

  • 7,912 Points 5k badge 2x thumb
I think the easiest way would be the AP to tunnel all traffic to the controller so the switch does not see the clients behind the AP ?
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 49,972 Points 20k badge 2x thumb
Unfortunately that isn't an option as it doesn't scale in todays networks with 802.11ac APs in place.
Photo of Kevin Kim

Kevin Kim, Employee

  • 2,266 Points 2k badge 2x thumb
I thought multiple supplicant could be turned off on a netlogin enabled port in campus mode. Without multiple supplicant, a netlogin enabled port will be open to all users connected to the same port once the first user is authenticated. But, the concept guide is not clear whether campus mode turns off multiple supplicant or not.

Multiple supplicants are supported in ISP mode for web-based, 802.1X, and MAC-based authentication. In addition, multiple supplicants are supported in Campus mode if you configure and enable network login MAC-based VLANs.
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
"Campus mode" vs. "ISP mode" has really to do with VLAN assignment mechanism for the port. In the former, VLAN assignment is done using a VSA sent by the RADIUS server for each authorized client. For ISP mode, the port is preconfigured into a VLAN (typically untagged, but not always) and any authorized clients are bridged into that VLAN.

MAC-based VLAN mode for Netlogin is necessarily "Campus mode" and has the disadvantage that all BUMs are received by all clients on that port regardless of their VLAN assignment.

Regardless, whether pre-configuring the netlogin enabled port into a VLAN, or using a VSA to assign the port to a VLAN, multiple supplicant is still in effect for that port.

However, pre-assigning the VLANs and not using the VSA for the dot1x authentication is a very good idea for my script above. I'll need to make further comments.
Photo of Rainer Adam

Rainer Adam

  • 874 Points 500 badge 2x thumb
Is there any comparable solution for EOS Switches?