Solved

802.1x issues

  • 21 March 2019
  • 3 replies
  • 882 views

Hey everyone!

Since Microsoft allowed the Hyper-V switches to transfer EAPOL packets I tried to make our switches more secure by implementing 802.1x authentication for the ports.

My idea is the next:

Someone plugs their computer to one of the switch ports:
  • If they are in the necessary AD group (that condition I check in the Windows NPS server) they get authenticated and be put in the necessary untagged VLAN, they can reach the internal network and internet
  • If they don't have 802.1x enabled, they get to put into the Guest VLAN, receive a DMZ DHCP IP
  • If they have 802.1x enabled but they cannot authenticate, get to put in the the Failure VLAN (similar to Guest VLAN)
It works like a charm and everything is fine, but here comes the issue; if the connected computer has a Virtual Machine, then I want that VM to be put into the Failure VLAN (or the Guest, doesn't matter). For this, in the NPS server I set up the 211 VSA attribute so it enables to VLANs on the port: ULAN;TDMZ - so there will be an untagged LAN VLAN and a tagged DMZ.
After the computer (host) successful authentication I can see both VLANs on the port, the host is in the untagged VLAN, has internet, everything works.
The issue is that the VM tries to authenticate, but it fails, and then it doesn't get into the DMZ VLAN, also if I set up a VLAN tag in Hyper-V for the VM (the tag of the DMZ VLAN) it doesn't pick it up.

This is what I see:

SW01.33 # show netlogin dot1x detail

NetLogin Authentication Mode : web-based DISABLED; 802.1x ENABLED; mac-based DISABLED
NetLogin VLAN : "nt_login"
NetLogin move-fail-action : Deny

------------------------------------------------
802.1x Mode Global Configuration
------------------------------------------------
Quiet Period : 1
Supplicant Response Timeout : 5
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 10
EAPOL MPDU version to transmit : v1
------------------------------------------------

Port: 6:19, Vlan: LAN State: Enabled, Authentication: 802.1x
Guest Vlan VM-DMZ: Enabled
Authentication Failure Vlan VM-DMZ: Enabled
Authentication Service-Unavailable Vlan VM-DMZ: Enabled

MAC
MACADDRESS : IP=10.98.8.48 Auth=Yes User=ADUSERNAME
: AuthPAE state=AUTHENTICATED BackAuth state=IDLE
: ReAuth time left=3566 ReAuth count=0
: Quiet time left=0
-----------------------------------------------

Port: 6:19, Vlan: VM-DMZ, State: Enabled, Authentication: 802.1x
Guest Vlan VM-DMZ: Enabled
Authentication Failure Vlan VM-DMZ: Enabled
Authentication Service-Unavailable Vlan VM-DMZ: Enabled

MAC
00:15:5d:49:0b:1a : IP=0.0.0.0 Auth=No User=
: AuthPAE state=AUTHENTICATING BackAuth state=IDLE
: ReAuth time left=0 ReAuth count=4
: Quiet time left=0
10:62:e5:ef:0f:69 : IP=0.0.0.0 Auth=Yes User=ADUSERNAME
: AuthPAE state=AUTHENTICATED BackAuth state=IDLE
: ReAuth time left=3566 ReAuth count=0
: Quiet time left=0
-----------------------------------------------

this is what's in the debug log:

03/21/2019 11:21:36.15 Slot-1: Authentication failed for Network Login 802.1x user Mac 00:15:5D:49:0B:1A port 6:19
03/21/2019 11:21:36.15 Slot-1: Client[6:19, 00:15:5D:49:0B:1A] auth move result: Cant move untagged VLAN
03/21/2019 11:21:36.15 Slot-1: Client[6:19, 00:15:5D:49:0B:1A] authVlans preprocessing result; Cant move untagged VLAN

Do you have any suggestions?
icon

Best answer by Kawawa 26 March 2019, 10:39

Good morning,



As I understand, your host is authenticated and added to a VLAN untagged.



Your netlogin port is configured to use port-based VLANs. With this, the port can only be untagged in 1 VLAN (the initial host authentication), therefore any subsequent attempt to pass an untagged VSA for ther VM would fail.



You need to change the NetLogin mode to mac-based-vlans. Please see the following KB article: https://gtacknowledge.extremenetworks.com/articles/Q_A/What-is-MAC-based-VLANs-and-port-based-VLANs



code:
# show netlogin dot1x detail 

... MAC-based ENABLED




In your case the above is set to DISABLED
View original

3 replies

Userlevel 5
Good morning,

As I understand, your host is authenticated and added to a VLAN untagged.

Your netlogin port is configured to use port-based VLANs. With this, the port can only be untagged in 1 VLAN (the initial host authentication), therefore any subsequent attempt to pass an untagged VSA for ther VM would fail.

You need to change the NetLogin mode to mac-based-vlans. Please see the following KB article: https://gtacknowledge.extremenetworks.com/articles/Q_A/What-is-MAC-based-VLANs-and-port-based-VLANs

code:
# show netlogin dot1x detail 

... MAC-based ENABLED


In your case the above is set to DISABLED
Hey!

Thanks for your answer.

Okay, so let's say I have a computer that authenticates then get put into the untagged VLAN. I cannot put any VMs into a tagged VLAN without using MAC-based auth?
Hello again,

I managed to make it work thanks to you, I thought MAC-based meant that you use MACs to authenticate, but this is something else!

Thanks a million man, you saved me!

Reply