This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeControl
- Re: ERS switch integration with Extreme control.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ERS switch integration with Extreme control.
ERS switch integration with Extreme control.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
2 weeks ago
Hi all,
I'm working on Fabric Attached edge ERS switch and this switch is connected to VOSS running fabric to integrate the ERS switch with extreme control.
My goal is to configure mac authentication 802.1x and authenticate wireless clients in AP which is running in Fabric Attach mode.
i configured the voss and fa and is working fine but the problem is that i can ping the nac and even the radius reachability packets reaches the nac but when i configure a port for mac authentication (NEAP)
there is no packet reaching extreme control.
the problem is with my neap and radius configs as i think. So is there a document explain it ?
i read the ERS security document but that does not seems to work.
Thank you.
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
2 weeks ago
Hi all,
Now the packets are sent to nac and the client is authenticated successfully in extreme control side, but there is a problem where the clients stay in intruder state :
-------------------------- Unauthorized Clients ----------------------------
Port Client MAC Address Type Radius Status
---- ------------------ -------------- ------------------------------
2 E8:6A:64:F4:A3:A3 Intruder Pending RADIUS Authentication
Total number of DHCP phones: 0
Total number of EAP clients: 0
Total number of non-EAP clients: 0
Total number of unauthenticated clients: 1
3650GTS-PWR+(config-if)#
here is the switch configs :
3650GTS-PWR+(config-if)#show running-config
! Embedded ASCII Configuration Generator Script
! Model = Ethernet Routing Switch 3650GTS-PWR+
! Software version = v6.4.2.007
!
! Displaying only parameters different to default
!================================================
enable
configure terminal
!
! *** CORE ***
!
sntp server primary address 192.168.101.150
sntp enable
!
! *** RADIUS ***
!
no radius use-management-ip
radius server host 192.168.101.102 acct-enable
radius server host 192.168.101.102 used-by eapol acct-enable
radius server host 192.168.101.102 used-by non-eapol acct-enable timeout 20
radius accounting interim-updates enable
radius reachability mode use-radius
radius reachability timeout 2
!
! *** RADIUS Dynamic Server ***
!
radius dynamic-server replay-protection
!
! *** TACACS+ ***
!
!
! *** SNMP ***
!
snmp-server view ALL +1
! snmp-server user ahmed md5 ******** des ******** read-view ALL write-view ALL
notify-view ALL
snmp-server host 192.168.101.101 port 162 v3 auth "ahmed"
!
! *** IP ***
!
!
! *** IP Manager ***
!
no ipmgr snmp
!
! *** ASSET ID ***
!
!
! *** System Logging ***
!
logging remote address 192.168.101.101
logging remote enable
logging remote facility local4
logging remote level debug
!
! *** STACK ***
!
!
! *** Custom Banner ***
!
!
! *** SSH ***
!
!
! *** SSL ***
!
!
! *** SSHC ***
!
!
! *** MSTP (Phase 1) ***
!
spanning-tree mstp region region-name "e0:a1:29:ed:08:01"
!
! *** LACP (Phase 1) ***
!
!LACP mode is set to OFF on all interfaces to enable manipulation of
!ports with LACP enabled
interface Ethernet ALL
lacp mode port ALL off
exit
!
! *** VLAN ***
!
vlan create 30,1010 type port cist
vlan ports 2,11 tagging unTagPvidOnly
vlan configcontrol flexible
vlan members 1010 11
vlan ports 11 pvid 1010
no auto-pvid
!
! *** 802.1ab ***
!
interface Ethernet ALL
no lldp tx-tlv port 47 dot3 mdi-power-support
no lldp tx-tlv port 47 med extendedPSE
exit
!
! *** 802.1ab vendor-specific TLVs config ***
!
!
! *** 802.1AB MED Voice Network Policies ***
!
!
! *** QOS ***
!
!qos if-group name "#FaTrustedIfcs" class trusted
!qos if-assign port 47 name #FaTrustedIfcs
!
! *** RMON ***
!
!
! *** EAP Guest VLAN ***
!
!
! *** EAP ***
!
eapol multihost allow-non-eap-enable
eapol multihost radius-non-eap-enable
eapol multihost auto-non-eap-mhsa-enable
eapol multihost non-eap-phone-enable
interface Ethernet ALL
eapol multihost port 1 eap-mac-max 10 allow-non-eap-enable non-eap-mac-max 10 r
adius-non-eap-enable auto-non-eap-mhsa-enable non-eap-phone-enable mac-max 3
eapol multihost port 2 eap-mac-max 3 allow-non-eap-enable non-eap-mac-max 3 rad
ius-non-eap-enable auto-non-eap-mhsa-enable non-eap-phone-enable mac-max 3
eapol multihost port 3-12 allow-non-eap-enable radius-non-eap-enable auto-non-e
ap-mhsa-enable non-eap-phone-enable
eapol multihost port 13 eap-mac-max 3 allow-non-eap-enable non-eap-mac-max 3 ra
dius-non-eap-enable auto-non-eap-mhsa-enable non-eap-phone-enable mac-max 3
eapol multihost port 14-50 allow-non-eap-enable radius-non-eap-enable auto-non-
eap-mhsa-enable non-eap-phone-enable
exit
interface Ethernet ALL
eapol port 1 status auto re-authentication-period 60 quiet-interval 30 max-requ
est 10
eapol port 2,13 status auto re-authentication-period 60 quiet-interval 30 serve
r-timeout 10 max-request 10
exit
!
! *** EAP Fail Open VLAN ***
!
!
! *** EAP Voip VLAN ***
!
! eapol enable
!
! *** Interface ***
!
!
! *** Rate-Limit ***
!
!
! *** MLT (Phase 1) ***
!
!
! *** MAC-Based Security ***
!
!
! *** LACP (Phase 2) ***
!
!
! *** ADAC ***
!
!
! *** MSTP (Phase 2) ***
!
!
! *** Port Mirroring ***
!
!
! *** VLAN Phase 2***
!
!
! *** MLT (Phase 2) ***
!
!
! *** PoE ***
!
!
! *** RTC ***
!
!
! *** Extreme Networks Energy Saver ***
!
!
! *** AUR ***
!
!
! *** AAUR ***
!
!
! *** L3 ***
!
interface vlan 1010
ip address 192.168.101.15 255.255.255.0 2
exit
!
ip routing
!
!
! *** IPV6 ***
!
!
! *** MLD ***
!
!
! *** FHS ***
!
!
! --- FHS Global settings ---
!
!
! --- IPV6 access list settings ---
!
!
! --- IPv6 mac access list settings ---
!
!
! --- IPV6 dhcp guard settings ---
!
!
! --- IPV6 RA Guard settings ---
!
!
! --- IPV6 Policy Port Map settings ---
!
!
! --- IPV6 FHS ND SBT Table settings ---
!
!
! --- IPV6 Source Guard Interface settings ---
!
!
! *** VLACP ***
!
!
! *** DHCP Relay ***
!
!
! *** L3 Protocols ***
!
!
! --- IP Directed Broadcast ---
!
!
! --- Proxy ARP ---
!
!
! --- UDP Broadcast Forwarding ---
!
!
! --- Route Policies ---
!
!
! --- RIP ---
!
!
! *** DHCP SNOOPING ***
!
!
! *** ARP INSPECTION ***
!
!
! *** IP SOURCE GUARD ***
!
!
! *** IGMP ***
!
interface vlan 1
ip igmp
exit
interface vlan 30
ip igmp
exit
interface vlan 1010
ip igmp
exit
!
! *** STACK MONITOR ***
!
!
! *** SLPP-guard ***
!
!
! *** DHCP Server ***
!
!
! *** SLAMON ***
!
!
! *** STORM CONTROL ***
!
!
! *** Fabric Attach ***
!
fa zero-touch-option auto-trusted-mode-fa-client client-type 6
fa zero-touch-option auto-pvid-mode-fa-client client-type 6
i-sid 1000030 vlan 30
i-sid 1001010 vlan 1010
!
! *** ZTP+ ***
