cancel
Showing results for 
Search instead for 
Did you mean: 

Problem with 802.1X Microsoft Machine authentication

Problem with 802.1X Microsoft Machine authentication

Mark_Severijnen
New Contributor

Hello All,

Having a problem with 802.1X Microsoft Machine authentication:

We are using XMC 8.5.4.23 and X435-8P-4S with EXOS 31.2.1.1.

Config of X435 is:

In fat the most relevant parts

configure vlan default delete ports all
configure vr VR-Default delete ports 1-12
configure vr VR-Default add ports 1-12
configure vlan default delete ports 1-12
create qosprofile "QP2"
create qosprofile "QP3"
create qosprofile "QP4"
create qosprofile "QP5"
create qosprofile "QP6"
create qosprofile "QP7"
configure ports group "Default (IRL.0)" add 1-11
configure ports group "Default (TXQ.0)" add 1-11
create vlan "nt_login"
create vlan "unauthenticated"
configure vlan unauthenticated tag 4000
create vlan "UZ-Produktiv"
configure vlan UZ-Produktiv tag 10
create vlan "v2125-Telefonie_Telefone"
configure vlan v2125-Telefonie_Telefone tag 2125
create vlan "vlan2019-Man-FW"
configure vlan vlan2019-Man-FW tag 2019
create vlan "vlan2024-Man-Switch"
configure vlan vlan2024-Man-Switch tag 2024
disable port 1
configure ports 11 auto off speed 1000 duplex full 
configure ports 12 auto off speed 1000 duplex full 
configure vlan vlan2019-Man-FW add ports 3 untagged  
configure vlan vlan2024-Man-Switch add ports 4 untagged  
configure qosscheduler strict-priority ports "Default (TXQ.0)" 
configure qosscheduler strict-priority ports 12 
configure qosprofile QP1 maxbuffer 100 weight 1 ports "Default (TXQ.0)"
configure qosprofile QP2 maxbuffer 100 weight 1
configure qosprofile QP2 maxbuffer 100 weight 1 ports "Default (TXQ.0)"
configure qosprofile QP3 maxbuffer 100 weight 1
configure qosprofile QP3 maxbuffer 100 weight 1 ports "Default (TXQ.0)"
configure qosprofile QP4 maxbuffer 100 weight 1
configure qosprofile QP4 maxbuffer 100 weight 1 ports "Default (TXQ.0)"
configure qosprofile QP5 maxbuffer 100 weight 1
configure qosprofile QP5 maxbuffer 100 weight 1 ports "Default (TXQ.0)"
configure qosprofile QP6 maxbuffer 100 weight 1
configure qosprofile QP6 maxbuffer 100 weight 1 ports "Default (TXQ.0)"
configure qosprofile QP7 maxbuffer 100 weight 1
configure qosprofile QP7 maxbuffer 100 weight 1 ports "Default (TXQ.0)"
configure qosprofile QP8 maxbuffer 100 weight 1 ports "Default (TXQ.0)"
configure dot1p type 0 qosprofile QP1 ingress-meter ingmeter0
configure dot1p type 1 qosprofile QP2 ingress-meter ingmeter1
configure dot1p type 2 qosprofile QP3 ingress-meter ingmeter2
configure dot1p type 3 qosprofile QP4 ingress-meter ingmeter3
configure dot1p type 4 qosprofile QP5 ingress-meter ingmeter4
configure dot1p type 5 qosprofile QP6 ingress-meter ingmeter5
configure dot1p type 6 qosprofile QP7 ingress-meter ingmeter6
configure dot1p type 7 qosprofile QP8 ingress-meter ingmeter7
configure cos-index 8 qosprofile QP4 replace-tos 64

#
# Module policy configuration.
#
configure netlogin port 2 authentication mode optional
configure policy profile 1 name "Failsafe" pvid-status "enable" pvid 4095 
configure policy profile 2 name "Access Point" pvid-status "enable" pvid 4095 auth-override "enable" 
configure policy profile 3 name "Administrator" pvid-status "enable" pvid 4095 
configure policy profile 4 name "Deny Access" pvid-status "enable" pvid 0 
configure policy profile 5 name "Guest Access" pvid-status "enable" pvid 4095 cos-status "enable" cos 1 
configure policy profile 6 name "Enterprise Access" pvid-status "enable" pvid 4095 cos-status "enable" cos 3 
configure policy profile 7 name "Quarantine" pvid-status "enable" pvid 0 
configure policy profile 8 name "Server" pvid-status "enable" pvid 4095 cos-status "enable" cos 4 
configure policy profile 9 name "Printer" pvid-status "enable" pvid 0 cos-status "enable" cos 1 
configure policy profile 10 name "Unregistered" pvid-status "enable" pvid 0 
configure policy profile 11 name "Enterprise User" pvid-status "enable" pvid 4095 cos-status "enable" cos 4 
configure policy profile 12 name "VoIP Phone" pvid-status "enable" pvid 4095 cos-status "enable" cos 6 
configure policy profile 13 name "Notification" pvid-status "enable" pvid 4095 cos-status "enable" cos 4 
configure policy profile 14 name "Assessing" pvid-status "enable" pvid 0 
configure policy profile 15 name "VoIP Phone Tagged" pvid-status "enable" pvid 2125 cos-status "enable" cos 6 egress-vlans 2125 nsi 82125 
configure policy profile 16 name "Wired 802.1X VLAN10 Machine" pvid-status "enable" pvid 10 untagged-vlans 10 nsi 80010 

configure policy maptable response both
enable policy

#
# Module aaa configuration.
#
configure radius mgmt-access primary server 10.8.64.161 1812 client-ip 10.8.25.200 vr VR-Default
configure radius mgmt-access primary shared-secret encrypted "#$xxxxxx"
configure radius mgmt-access secondary server 10.16.64.161 1812 client-ip 10.8.25.200 vr VR-Default
configure radius mgmt-access secondary shared-secret encrypted "#$xxxxxx="
configure radius netlogin primary server 10.8.64.161 1812 client-ip 10.8.25.200 vr VR-Default
configure radius netlogin primary shared-secret encrypted "#$xxxxx"
configure radius netlogin secondary server 10.16.64.161 1812 client-ip 10.8.25.200 vr VR-Default
configure radius netlogin secondary shared-secret encrypted "#$xxxxxxx"
configure radius-accounting mgmt-access primary server 10.8.64.161 1813 client-ip 10.8.25.200 vr VR-Default
configure radius-accounting mgmt-access primary shared-secret encrypted "#$xxxxxxx"
configure radius-accounting mgmt-access secondary server 10.8.64.161 1813 client-ip 10.8.25.200 vr VR-Default
configure radius-accounting mgmt-access secondary shared-secret encrypted "#$xxxxxxx"
configure radius-accounting netlogin primary server 10.8.64.161 1813 client-ip 10.8.25.200 vr VR-Default
configure radius-accounting netlogin primary shared-secret encrypted "#$xxxxxx"
configure radius-accounting netlogin secondary server 10.8.64.161 1813 client-ip 10.8.25.200 vr VR-Default
configure radius-accounting netlogin secondary shared-secret encrypted "#$xxxxxxx"
enable radius netlogin
create account admin xxxxx encrypted "$5xxxxx/" 

#
# Module acl configuration.
#

configure access-list zone SYSTEM application Mrp application-priority 2
configure access-list zone SYSTEM application IpSecurity application-priority 3
configure access-list zone SYSTEM application FIPSnooping application-priority 4
configure access-list zone SYSTEM application Dot1Ag application-priority 5
configure access-list zone SYSTEM application Dot1AgDefault application-priority 6
configure access-list zone SYSTEM application NetLogin application-priority 7
configure access-list zone SYSTEM application FDB application-priority 8
configure access-list zone SYSTEM application HealthCheckLAG application-priority 9
configure access-list zone SYSTEM application IdentityManager application-priority 10
configure access-list zone SYSTEM application VMTracking application-priority 11
configure access-list zone SYSTEM application PolicyManager application-priority 12
configure access-list zone SYSTEM application Policy application-priority 13
configure access-list zone SYSTEM application L2PT_PF application-priority 14
configure access-list zone SYSTEM application Snmp application-priority 17
configure access-list zone SYSTEM application Telnet application-priority 18
configure access-list zone SYSTEM application Http application-priority 19
configure access-list zone SYSTEM application Ssh2 application-priority 20
configure access-list zone SYSTEM application VlanManager application-priority 21
configure access-list zone SYSTEM application SlppGuard application-priority 22
configure access-list zone SYSTEM application ElrpHwAssist application-priority 23

 

#
# Module ems configuration.
#
enable log debug-mode
configure log filter DefaultFilter add events nl severity debug-verbose 
configure log filter DefaultFilter add events AAA severity debug-verbose 
enable log target console 

 

#
# Module exsshd configuration.
#
enable ssh2

#
# Module lldp configuration.
#
configure lldp port 1 advertise port-description
configure lldp port 1 advertise system-capabilities
configure lldp port 1 advertise management-address
configure lldp port 2 advertise port-description
configure lldp port 2 advertise system-capabilities
configure lldp port 2 advertise management-address
configure lldp port 2 advertise vendor-specific med capabilities
configure lldp port 3 advertise port-description
configure lldp port 3 advertise system-capabilities
configure lldp port 3 advertise management-address
configure lldp port 4 advertise port-description
configure lldp port 4 advertise system-capabilities
configure lldp port 4 advertise management-address
configure lldp port 5 advertise port-description
configure lldp port 5 advertise system-capabilities
configure lldp port 5 advertise management-address
configure lldp port 6 advertise port-description
configure lldp port 6 advertise system-capabilities
configure lldp port 6 advertise management-address
configure lldp port 7 advertise port-description
configure lldp port 7 advertise system-capabilities
configure lldp port 7 advertise management-address
configure lldp port 8 advertise port-description
configure lldp port 8 advertise system-capabilities
configure lldp port 8 advertise management-address
configure lldp port 9 advertise port-description
configure lldp port 9 advertise system-capabilities
configure lldp port 9 advertise management-address
configure lldp port 10 advertise port-description
configure lldp port 10 advertise system-capabilities
configure lldp port 10 advertise management-address
configure lldp port 11 advertise port-description
configure lldp port 11 advertise system-capabilities
configure lldp port 11 advertise management-address
configure lldp port 12 advertise port-description
configure lldp port 12 advertise system-capabilities
configure lldp port 12 advertise management-address
configure lldp port 2 advertise vendor-specific med policy application voice vlan v2125-Telefonie_Telefone dscp 46
configure vlan UZ-Produktiv add nsi 80010
configure vlan vlan2019-Man-FW add nsi 82019
configure vlan vlan2024-Man-Switch add nsi 82024
configure vlan v2125-Telefonie_Telefone add nsi 82125

 

#
# Module netLogin configuration.
#
enable netlogin dot1x mac 
configure netlogin mac authentication database-order radius
enable netlogin ports 1-2 dot1x 
enable netlogin ports 2 mac 
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48

#
# Module netTools configuration.
#
configure dns-client add name-server 192.168.8.2 vr VR-Default
configure dns-client add name-server 10.8.64.2 vr VR-Default
configure sntp-client primary 192.168.8.2 vr VR-Default
configure sntp-client secondary 192.168.17.2 vr VR-Default
configure sntp-client broadcast vr VR-Default
enable sntp-client

#
# Module ntp configuration.
#

#
# Module poe configuration.
#

#
# Module snmpMaster configuration.
#
configure snmpv3 engine-id 03:00:04:96:e4:6a:c2
configure snmpv3 add user "xxxxx" engine-id 80:00:07:7c:03:00:04:96:e4:6a:c2 authentication sha auth-encrypted localized-key xxxxx privacy aes 128 privacy-encrypted localized-key xxxxxx
configure snmpv3 add group "admin" user "xxxxx" sec-model usm 
configure snmpv3 add target-params "TV1v3snmpuser" user "snmpuser" mp-model snmpv3 sec-model usm sec-level priv 
configure snmpv3 add notify "TVInformTag" tag "TVInformTag" type inform 
enable snmp access
disable snmp access snmp-v1v2c
enable snmp access snmpv3

#
# Module stp configuration.
#
disable stpd s0

 

More text in second posting


 

 

1 ACCEPTED SOLUTION
7 REPLIES 7

Stefan_K_
Valued Contributor

The patch has been released.

XOS 31.2.1-Patch1-5

Best regards
Stefan

Mark_Severijnen
New Contributor

Hello All,

got an e-mail from GTAG saying “the patch is tentatively scheduled to be released mid April”

Lets hope so.

regards,

Mark

Mark_Severijnen
New Contributor

Hello StephanH and Stefan K.

we ran in the same BUG: downgraded back to 31.1.1.2-patch1-1 and all was fine again.

Had a case open for XMC and asked those guys to escalate the case to the switch people.

 

Thanks for both your contribution!

We will have to hope for a quick release of the patch which seems to be there already but not published for some unknown reason.

regards,

Mark

Stefan_K_
Valued Contributor
GTM-P2G8KFN