XOS Authentication + Campus Mode + STP needed

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
we wants to use 802.1x and MAC Auth for authentication of the end-systems. Automatic VLAN configuration via RADIUS VSAs during authentication process is a very important additional value for us (XOS - Auth - Campus Mode). Finally we wants using Spanning Tree at the edge ports (to prevent network loops)!

Unfortunately Authentication + Campus Mode + STP is with current XOS not possible!

Current legacy Enterasys devices support that without problems.
Photo of M.Nees

M.Nees, Embassador

  • 9,414 Points 5k badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of Bill Stritzinger

Bill Stritzinger, Alum

  • 6,036 Points 5k badge 2x thumb
Matthias,

As you have seen, XOS does not directly support .1x, MAC and STP on a port at the same time.  We can workaround this by creating a carrier vlan and adding ports tagged to the vlan.  Here is an example:


# Create VLAN for Carrier - Add all user ports to this VLAN
#
create vlan FAKE_EDGE_MSTP tag 4051  (tag could be any...)
configure FAKE_EDGE_MSTP add port (user port listing) tag
#
# STP Configuration - Will turn on
#
configure s0 delete vlan default port all
disable s0 auto-bind vlan default
configure s0 mode mstp cist
configure s0 priority 0
create stpd fake_stm
configure fake_stm mode mstp msti 1
configure fake_stm priority 01
configure fake_stm add vlan FAKE_EDGE_MSTP port (user port listing) dot1d
configure s0 ports link-type edge (user port listing) edge-safeguard enable bpdu-restrict
configure fake_stm ports link-type edge (user port listing) edge-safeguard enable bpdu-restrict
en fake_stm
en s0
en stp
#


Bill
Photo of M.Nees

M.Nees, Embassador

  • 9,414 Points 5k badge 2x thumb
Hi Bill,
these days i come back to your STP config suggestion. it work fine - Loop Protection and Netlogin simultaneously! Perfect.
I disclaim of the bpdu-restrict because both end of the loop are shutdown. Standard STP behaviour to block the new port is OK for me.

create vlan RSTP_VLAN
conf vlan RSTP_VLAN tag 4051
create stpd rstp-s0
configure rstp-s0 mode mstp cist
conf rstp-s0 prio 16684
enable stpd rstp-s0
conf vlan RSTP_VLAN add port 1-16 tag
configure stpd rstp-s0 add vlan RSTP_VLAN ports 1-16 dot1d
configure stpd rstp-s0 ports link-type edge 1-16 edge-safeguard enable recovery-timeout 60

But 2 things are important for me:
+ I get no information that a port is shutdown because of the loop situation. "show sptd rstp-s0 ports" does not show me a blocked port!
Is it possible that XOS generate a SNMP Trap or a syslog message of a loop will be avoided ??

+ during a short time RSTP needs to detect a loop - netlogin (which is also active on that port) sends authentication requests to RADIUS server - so NAC Gateway - NAC Manager tool (end-systems) is filled up with existing mac adresses (end-systems) on that switch port.
Is it possible to avoid this ?