topic Re: Using NAC to Fabric attach an ERS 4900 to an ERS 5900 in ExtremeSwitching (ERS)

Using NAC to Fabric attach an ERS 4900 to an ERS 5900

ExtremeNorth — Wed, 10 Apr 2019 06:22:50 GMT

I have ERS5900's running full fabric connect (NNI Ports) back to VSP8400''s, and I would like to use FA to connect another ERS4900 switch to an EAP enabled port. All ports on the 5900 are EAP enabled and controlled with Extreme NAC to auto provision the VLAN:I-SID for phones (port set as untagPvidOnly with ADAC/LLDP) and clients. (port is default untagAll)

When I connect the 4900 switch to a port I can use MAC auth to set the VLAN, but I cannot set the port for tagAll (or untagPvidOnly) so that VLAN's are passed through. In XMC the policy mapping has an option for VLAN Egress: (Tagged/Untagged/Same as Ingress/User Defined) but it does not seem to change the port tagging behavior.

I realize I can just change the port to be authorized and manually enable to port for tagging, but I would like to leave all ports as generic ports so we can attach the switch anywhere on the network.

Thanks in advance.

Terrel Hobbs
Yellowknife, NT

Re: Using NAC to Fabric attach an ERS 4900 to an ERS 5900

Ludovico_Steven — Wed, 10 Apr 2019 14:23:02 GMT

Hi
Some of what you are trying to do is possible. But not everything..
For a start the XMC Policy Egress VLAN tab will have no effect on ERS.
You can however achieve the desired ERS port config by returning these RADIUS attributes to the switch when opening the port:

FA-VLAN-Create=1
FA-VLAN-PVID=10
FA-VLAN-ISID=10:20010
FA-VLAN-ISID=20:20020
FA-VLAN-ISID=30:20030

This would allow NAC to create and assign all of VLANs 10,20,30 on the authorized port, where VLAN 10 is the Untagged VLAN on that port.

However, the above attributes, with multiple VLANs, will only be processed if the port being authorized is in MHSA mode (Multi-Host-Single-Authentication), which requires this config on the ERS, globally:

eapol multihost auto-non-eap-mhsa-enable

And at port level:

eapol multihost auto-non-eap-mhsa-enable mhsa-no-limit

Which is what you need anyway, as you will be getting traffic from lots of other MACs once you've opened the port to the ERS4900 behind.
The trouble is that now you have a different config for that port, which is not what you intended.
There is an FA zero-touch-option which is designed to automatically set the port to MHSA based on detection of an FA client on the port:

fa zero-touch-options auto-port-mode-fa-client client-type

But unfortunately it cannot be set to FA-type = FA-Proxy, which is what the ERS4900 will FA announce itself as. Might be worth an enhancement...

Re: Using NAC to Fabric attach an ERS 4900 to an ERS 5900

ExtremeNorth — Fri, 12 Apr 2019 07:01:09 GMT

Thanks for the response Ludico.

Good to know that the XMC Policy Egress has no effect; I think this would be a nice enhancement...

I am sending the radius attributes, but the switch says "EAP: Pvid attribute from RADIUS ignored" when I added the FA-VLAN-PVID.
globally I have "eapol multihost auto-non-eap-mhsa-enable"
on every port I had "eapol multihost eap-mac-max 32 non-eap-mac-max 32 radius-non-eap-enable mac-max 32", and I added auto-non-eap-mhsa-enable mhsa-no-limit which does not affect it.
I do have "fa zero-touch-option auto-port-mode-fa-client client-type 6,8" enabled
I also have "fa zero-touch-client standard switch vlan xxx i-sid xxxxxx" set so it adds the WAP vlan to the port.

When I "show fa elements" the 5900 shows 4900 as Proxy, and the 4900 shows the 5900 as a Server. (since it is setup as a FC switch) I will try sending multiple vlans when the switch authenticates, and will update my findings.

Terrel.

Re: Using NAC to Fabric attach an ERS 4900 to an ERS 5900

mneumann — Mon, 21 Oct 2019 14:42:16 GMT

As Ludo stated, both EAP command (global/port-level) solves the issue you pointed out in this thread.

I had the same experiences and I was looking here for a solution - and again Ludo helped again 🙂

Here are all related information as summary.

Port 1-12 are EAP enabled and want to assign a Vlan:I-SID (10:10012) dynamically once the device is authenticated.

The Radius-Return attribute is based as Ludo mentioned above.

+-------------------------------------------------------------------------

Global:

eapol multihost auto-non-eap-mhsa-enable

Port level:

eapol multihost auto-non-eap-mhsa-enable mhsa-no-limit

+-------------------------------------------------------------------------

! Embedded ASCII Configuration Generator Script
! Model = Ethernet Routing Switch 4926GTS-PWR+
! Software version = v7.7.0.003
!
! Displaying only parameters different to default
!================================================
enable
configure terminal

!
! *** Fabric Attach ***
!
fa uplink trunk 1
fa timeout 45
fa extended-logging
fa zero-touch-option auto-trusted-mode-fa-client client-type 6-17
fa zero-touch-option auto-pvid-mode-fa-client client-type 6-17
fa zero-touch-option auto-mgmt-vlan-fa-client
fa zero-touch-option auto-client-attach
no fa message-authentication 1-24
! i-sid 10012 vlan 12 ==> created by FA Client

!
! *** EAP ***
!
eapol multihost radius-non-eap-enable
eapol multihost auto-non-eap-mhsa-enable
interface Ethernet ALL
eapol multihost port 1-12 eap-mac-max 4 allow-non-eap-enable non-eap-mac-max 4 radius-non-eap-enable auto-non-eap-mhsa-enable non-eap-phone-enable mac-max 64 mhsa-no-limit
exit
interface Ethernet ALL
eapol port 1-12 status auto re-authentication enable
exit

FAP-2#sho vlan interface vids 3,7

****************************************************************************** Command Execution Time: 2019-10-21 09:31:32 GMT+02:00 UTC time: 2019-10-21 07:31:32 ****************************************************************************** Port VLAN VLAN Name VLAN VLAN Name VLAN VLAN Name ---- ---- ---------------- ---- ---------------- ---- ---------------- 3 12 VLAN #12 ---- ---- ---------------- ---- ---------------- ---- ---------------- 7 12 VLAN #12 ---- ---- ---------------- ---- ---------------- ---- ----------------

FAP-2#sho vlan interface info 3,7

****************************************************************************** Command Execution Time: 2019-10-21 09:31:37 GMT+02:00 UTC time: 2019-10-21 07:31:37 ****************************************************************************** Filter Filter Untagged Unregistered Port Frames Frames PVID PRI Tagging Name ---- -------- ------------ ---- --- ------------- ---------------- 3 No No 12 0 UntagPvidOnly Port 3 7 No No 12 0 UntagPvidOnly Port 7

# sho log I 2019-10-21T09:25:43+02:00 23 Fabric Attach: binding activation success (port 7 10012/12) I 2019-10-21T09:25:43+02:00 22 Fabric Attach: binding activation success (port 3 10012/12) I 2019-10-21T09:25:43+02:00 21 Fabric Attach: binding activation success (trunk 1 10012/12)

Thanx again and good luck for all the others who will run in the same “finding” 🙂

Cheers - Matthias

Re: Using NAC to Fabric attach an ERS 4900 to an ERS 5900

mneumann — Mon, 21 Oct 2019 15:18:52 GMT

Me again,

In the meantime, I figured out that passing the value [FA-Client-Trust=1] unfortunately doesn't get any attention on the switch.

Now the question is, is this not supported or is the attribute wrong?

Cheers - Matthias

Re: Using NAC to Fabric attach an ERS 4900 to an ERS 5900

mneumann — Tue, 22 Oct 2019 13:20:32 GMT

Coming back to Ludo’s statement:

For ERS enable globally:

eapol multihost auto-non-eap-mhsa-enable

And at port level:

eapol multihost auto-non-eap-mhsa-enable mhsa-no-limit

These commands will open the port to the ERS4900 behind, that means also unwanted devices will get access to the network, once one authenticated client on that port is authenticated successfully.

I guess that is not what a network administrator want and that cannot be the solution to get this automatic VLAN:I-SID assignment running?

Is there any other way to get this running?

Thanks - Matthias

Re: Using NAC to Fabric attach an ERS 4900 to an ERS 5900

Ludovico_Steven — Wed, 23 Oct 2019 15:54:34 GMT

The MHSA mode is only intended for opening ports where a wireless AP is connected, and hence, yes, it is required to open the port for all MACs associated to the AP thereafter (or as in this thread it was desired to open an ERS NAC port behind which a 2nd ERS switch is connected).

But MHSA is not the mode to use on ports where you have end-stations, or else it defeats the purpose of NAC.

For end-stations directly connected to ERS ports (PCs, phones, etc..) you don't enable MHSA on the port, and so the ERS port will work in MHMA Multi-VLAN mode.

In this mode you don't care how the packet arrives on the port (tagged/untagged) (and the PVID config of the ERS port is completely irrelevant) since the authenticated source MAC automatically determines the VLAN (which was assigned to that MAC); under the bonnet it is MAC-based-VLANs.

You might still care about untagging frames for a certain VLAN when sending packets out of the ERS port, in this case you need to also send the RFC4675 attribute in addition to the FA-VLAN-ISID (the FA-VLAN-PVID attribute will be ignored in this mode)

As for the FA-Client-Trust RADIUS attribute, this is again mostly intended for ERS ports where we connect an FA Client device which has a need to do FA signalling to request additional VLAN:ISID bindings beyond the initial VLAN it got put on by NAC/RADIUS. These devices are Extreme Wireless APs or the Defender for IOT (which get their final config from a controller), or possibly some other device running Open vSwitch (OVS). All of these devices would require the MHSA mode (not MHMA!) as they will bridge additional MACs into the same ERS port.

Re: Using NAC to Fabric attach an ERS 4900 to an ERS 5900

trobinson — Thu, 11 Jun 2020 02:00:12 GMT

Hello Ludovico, I hope you are well!

Can you clarify - does this mean that this can be used to attach any vendor’s downstream switch with multiple vlans for various services (printer, phone, pc, etc) ? My thought is to act on the mac address of the switch to send the vlans:ISID to the ERS, which I have working, but am not understanding how to tag the ERS port. Reading your response says to me that a printer mac in the printer vlan on the downstream switch will be put into the printer vlan on the ERS even in absence of the ERS port being tagged.

Topology

VSP --- ERS --- generic switch -- end point devices

“ In this mode you don't care how the packet arrives on the port (tagged/untagged) (and the PVID config of the ERS port is completely irrelevant) since the authenticated source MAC automatically determines the VLAN (which was assigned to that MAC); under the bonnet it is MAC-based-VLANs. “

PS120-4950-WC1-Stk3(config)#show vlan interface verbose 1/47
      Filter Filter
Unit/ Untag. Unreg.
Port Frames Frames PVID VLAN VLAN Name        PRI Tagging       Port Name
----- ------ ------ ---- ---- ---------------- --- ------------- --------------
1/47 No     Yes    92   32   WiredUsers       0   UntagAll      Unit 1,Port 47
                         92   SwitchMgmt
                         96   NewVoIP
                         112 Printers
                         1001 OldVoIP

Thanks!

Re: Using NAC to Fabric attach an ERS 4900 to an ERS 5900

Ludovico_Steven — Sat, 27 Jun 2020 02:32:12 GMT

Lets say your ERS receives MAC X on the port to your generic switch, and you need that MAC to be scooped into VLAN 10.

When you authorize the MAC via RADIUS, you return these RADIUS attributes:

FA-VLAN-Create=1 # If the VLAN needs creating on the ERS

FA-VLAN-ISID=10:<I-SID>

The above is sufficient to place ingress traffic from that MAC into VLAN 10 (I-SID whatever)

The question now is how do you want to send egress traffic to that same MAC on the same port ? Tagged or Untagged ?

If you want it to go out untagged, you will include this RADIUS attribute as well:

Egress-VLANID=0x3200000a

Whereas if you want it to go out tagged:

Egress-VLANID=0x3100000a

But in this case the egress VLAN id better match the VLAN id you authorized the same MAC into; I don’t think it will work if you try and do VLAN translation..

The above attribute is defined in RFC4675; the vlan-id is the last 12 bits (hex A = 10 decimal).

Again, the above attribute is only applicable to MHMA mode (not MHSA).