XOS Authentication + Campus Mode + STP needed

Userlevel 6
we wants to use 802.1x and MAC Auth for authentication of the end-systems. Automatic VLAN configuration via RADIUS VSAs during authentication process is a very important additional value for us (XOS - Auth - Campus Mode). Finally we wants using Spanning Tree at the edge ports (to prevent network loops)!

Unfortunately Authentication + Campus Mode + STP is with current XOS not possible!

Current legacy Enterasys devices support that without problems.

2 replies

Userlevel 5

As you have seen, XOS does not directly support .1x, MAC and STP on a port at the same time. We can workaround this by creating a carrier vlan and adding ports tagged to the vlan. Here is an example:

# Create VLAN for Carrier - Add all user ports to this VLAN
create vlan FAKE_EDGE_MSTP tag 4051 (tag could be any...)
configure FAKE_EDGE_MSTP add port (user port listing) tag
# STP Configuration - Will turn on
configure s0 delete vlan default port all
disable s0 auto-bind vlan default
configure s0 mode mstp cist
configure s0 priority 0
create stpd fake_stm
configure fake_stm mode mstp msti 1
configure fake_stm priority 01
configure fake_stm add vlan FAKE_EDGE_MSTP port (user port listing) dot1d
configure s0 ports link-type edge (user port listing) edge-safeguard enable bpdu-restrict
configure fake_stm ports link-type edge (user port listing) edge-safeguard enable bpdu-restrict
en fake_stm
en s0
en stp

Userlevel 6
Hi Bill,
these days i come back to your STP config suggestion. it work fine - Loop Protection and Netlogin simultaneously! Perfect.
I disclaim of the bpdu-restrict because both end of the loop are shutdown. Standard STP behaviour to block the new port is OK for me.

create vlan RSTP_VLAN
conf vlan RSTP_VLAN tag 4051
create stpd rstp-s0
configure rstp-s0 mode mstp cist
conf rstp-s0 prio 16684
enable stpd rstp-s0
conf vlan RSTP_VLAN add port 1-16 tag
configure stpd rstp-s0 add vlan RSTP_VLAN ports 1-16 dot1d
configure stpd rstp-s0 ports link-type edge 1-16 edge-safeguard enable recovery-timeout 60

But 2 things are important for me:
+ I get no information that a port is shutdown because of the loop situation. "show sptd rstp-s0 ports" does not show me a blocked port!
Is it possible that XOS generate a SNMP Trap or a syslog message of a loop will be avoided ??

+ during a short time RSTP needs to detect a loop - netlogin (which is also active on that port) sends authentication requests to RADIUS server - so NAC Gateway - NAC Manager tool (end-systems) is filled up with existing mac adresses (end-systems) on that switch port.
Is it possible to avoid this ?