Header Only - DO NOT REMOVE - Extreme Networks

Using vlanauthorization RFC3580 on x460G2 and policy.


I have several x460G2 switches that refuse to put ports in the correct vlan using RFC3580. I have NAC sending back VLAN ID and Extreme Policy. vlanauthorization is enabled globally, and on the ports. I am running version 22 of code. I use this to automatically put cameras, wireless APs, printers etc.. in to the correct VLAN. Everything works fine on the S4, B5, C5, A4 series switches. It's just the x460s that DONT work.

Any ideas?

8 replies

Also... I can see that it is sending the vlan (tunnel attribute) 1001. Vlan 1001 is AdminComputer VLAN.

Port : 7:48 Station address : c4:34:6b:5e:78:7d Auth status : success Last attempt : Mon Dec 12 14:56:50 2016
Agent type : dot1x Session applied : true
Server type : radius VLAN-Tunnel-Attr : 1001
Policy index : 9 Policy name : Admin_Computers (active)
Session timeout : 0 Session duration : 0:10:04
Idle timeout : 300 Idle time : 0:00:45
Termination time: Not Terminated

This is a working B5 using rfc3580 vlanauth



Here is the same command run (just on the one port I am testing on the 460 G2)

Well, this fixed it:
configure netlogin ports 7:48 authentication mode required
However, I believe with this setting, if AUTH fails, all packets are discarded. I would prefer this NOT to happen. I believe you can't use a default role when you set authentication up this way.
Spoke too soon.. It doesn't work. This has got to be a bug in the code as the Enterasys stuff just works.
configure policy maptable response both

Thought I had it set... nope. Will test in the AM.
Userlevel 7
Hi Jeremy,

you need to explicitly enable your authentication method both globally and on the ports. If you are using MAC auth, you need to configure netlogin add mac-list default. If auth-optional works or not might depend on the firmware version, see https://gtacknowledge.extremenetworks.com/articles/Solution/Port-not-properly-passing-traffic-after-....

Erik
Erik Auerswald wrote:

Hi Jeremy,

you need to explicitly enable your authentication method both globally and on the ports. If you are using MAC auth, you need to configure netlogin add mac-list default. If auth-optional works or not might depend on the firmware version, see https://gtacknowledge.extremenetworks.com/articles/Solution/Port-not-properly-passing-traffic-after-....

Erik

Yeah, I did. I forgot the conf policy maptable response both. I am use to enabling it on enterasys via set policy maptable response both, however, forgot about it on XOS. It just doesn't show up under show policy vlanauthorization. It shows vlan ID as none.
Got it working.... But the command show policy vlanauth port 7:48 doesn't show that it's doing anything. Although, I can see 1001 untagged on the port.



Reply