This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (ERS)
- Re: Using NAC to Fabric attach an ERS 4900 to an E...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Using NAC to Fabric attach an ERS 4900 to an ERS 5900
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-09-2019 11:22 PM
I have ERS5900's running full fabric connect (NNI Ports) back to VSP8400''s, and I would like to use FA to connect another ERS4900 switch to an EAP enabled port. All ports on the 5900 are EAP enabled and controlled with Extreme NAC to auto provision the VLAN:I-SID for phones (port set as untagPvidOnly with ADAC/LLDP) and clients. (port is default untagAll)
When I connect the 4900 switch to a port I can use MAC auth to set the VLAN, but I cannot set the port for tagAll (or untagPvidOnly) so that VLAN's are passed through. In XMC the policy mapping has an option for VLAN Egress: (Tagged/Untagged/Same as Ingress/User Defined) but it does not seem to change the port tagging behavior.
I realize I can just change the port to be authorized and manually enable to port for tagging, but I would like to leave all ports as generic ports so we can attach the switch anywhere on the network.
Thanks in advance.
Terrel Hobbs
Yellowknife, NT
When I connect the 4900 switch to a port I can use MAC auth to set the VLAN, but I cannot set the port for tagAll (or untagPvidOnly) so that VLAN's are passed through. In XMC the policy mapping has an option for VLAN Egress: (Tagged/Untagged/Same as Ingress/User Defined) but it does not seem to change the port tagging behavior.
I realize I can just change the port to be authorized and manually enable to port for tagging, but I would like to leave all ports as generic ports so we can attach the switch anywhere on the network.
Thanks in advance.
Terrel Hobbs
Yellowknife, NT
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-10-2019 07:23 AM
Hi
Some of what you are trying to do is possible. But not everything..
For a start the XMC Policy Egress VLAN tab will have no effect on ERS.
You can however achieve the desired ERS port config by returning these RADIUS attributes to the switch when opening the port:
FA-VLAN-Create=1
FA-VLAN-PVID=10
FA-VLAN-ISID=10:20010
FA-VLAN-ISID=20:20020
FA-VLAN-ISID=30:20030
This would allow NAC to create and assign all of VLANs 10,20,30 on the authorized port, where VLAN 10 is the Untagged VLAN on that port.
However, the above attributes, with multiple VLANs, will only be processed if the port being authorized is in MHSA mode (Multi-Host-Single-Authentication), which requires this config on the ERS, globally:
eapol multihost auto-non-eap-mhsa-enable
And at port level:
eapol multihost auto-non-eap-mhsa-enable mhsa-no-limit
Which is what you need anyway, as you will be getting traffic from lots of other MACs once you've opened the port to the ERS4900 behind.
The trouble is that now you have a different config for that port, which is not what you intended.
There is an FA zero-touch-option which is designed to automatically set the port to MHSA based on detection of an FA client on the port:
fa zero-touch-options auto-port-mode-fa-client client-type
But unfortunately it cannot be set to FA-type = FA-Proxy, which is what the ERS4900 will FA announce itself as. Might be worth an enhancement...
Some of what you are trying to do is possible. But not everything..
For a start the XMC Policy Egress VLAN tab will have no effect on ERS.
You can however achieve the desired ERS port config by returning these RADIUS attributes to the switch when opening the port:
FA-VLAN-Create=1
FA-VLAN-PVID=10
FA-VLAN-ISID=10:20010
FA-VLAN-ISID=20:20020
FA-VLAN-ISID=30:20030
This would allow NAC to create and assign all of VLANs 10,20,30 on the authorized port, where VLAN 10 is the Untagged VLAN on that port.
However, the above attributes, with multiple VLANs, will only be processed if the port being authorized is in MHSA mode (Multi-Host-Single-Authentication), which requires this config on the ERS, globally:
eapol multihost auto-non-eap-mhsa-enable
And at port level:
eapol multihost auto-non-eap-mhsa-enable mhsa-no-limit
Which is what you need anyway, as you will be getting traffic from lots of other MACs once you've opened the port to the ERS4900 behind.
The trouble is that now you have a different config for that port, which is not what you intended.
There is an FA zero-touch-option which is designed to automatically set the port to MHSA based on detection of an FA client on the port:
fa zero-touch-options auto-port-mode-fa-client client-type
But unfortunately it cannot be set to FA-type = FA-Proxy, which is what the ERS4900 will FA announce itself as. Might be worth an enhancement...
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-21-2019 08:18 AM
Me again,
In the meantime, I figured out that passing the value [FA-Client-Trust=1] unfortunately doesn't get any attention on the switch.
Now the question is, is this not supported or is the attribute wrong?
Cheers - Matthias
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-21-2019 07:42 AM
As Ludo stated, both EAP command (global/port-level) solves the issue you pointed out in this thread.
I had the same experiences and I was looking here for a solution - and again Ludo helped again 🙂
Here are all related information as summary.
Port 1-12 are EAP enabled and want to assign a Vlan:I-SID (10:10012) dynamically once the device is authenticated.
The Radius-Return attribute is based as Ludo mentioned above.
+-------------------------------------------------------------------------
Global:
eapol multihost auto-non-eap-mhsa-enable
Port level:
eapol multihost auto-non-eap-mhsa-enable mhsa-no-limit
+-------------------------------------------------------------------------
! Embedded ASCII Configuration Generator Script
! Model = Ethernet Routing Switch 4926GTS-PWR+
! Software version = v7.7.0.003
!
! Displaying only parameters different to default
!================================================
enable
configure terminal
!
! *** Fabric Attach ***
!
fa uplink trunk 1
fa timeout 45
fa extended-logging
fa zero-touch-option auto-trusted-mode-fa-client client-type 6-17
fa zero-touch-option auto-pvid-mode-fa-client client-type 6-17
fa zero-touch-option auto-mgmt-vlan-fa-client
fa zero-touch-option auto-client-attach
no fa message-authentication 1-24
! i-sid 10012 vlan 12 ==> created by FA Client
!
! *** EAP ***
!
eapol multihost radius-non-eap-enable
eapol multihost auto-non-eap-mhsa-enable
interface Ethernet ALL
eapol multihost port 1-12 eap-mac-max 4 allow-non-eap-enable non-eap-mac-max 4 radius-non-eap-enable auto-non-eap-mhsa-enable non-eap-phone-enable mac-max 64 mhsa-no-limit
exit
interface Ethernet ALL
eapol port 1-12 status auto re-authentication enable
exit
FAP-2#sho vlan interface vids 3,7
******************************************************************************
Command Execution Time: 2019-10-21 09:31:32 GMT+02:00 UTC time: 2019-10-21 07:31:32
******************************************************************************
Port VLAN VLAN Name VLAN VLAN Name VLAN VLAN Name
---- ---- ---------------- ---- ---------------- ---- ----------------
3 12 VLAN #12
---- ---- ---------------- ---- ---------------- ---- ----------------
7 12 VLAN #12
---- ---- ---------------- ---- ---------------- ---- ----------------
FAP-2#sho vlan interface info 3,7
******************************************************************************
Command Execution Time: 2019-10-21 09:31:37 GMT+02:00 UTC time: 2019-10-21 07:31:37
******************************************************************************
Filter Filter
Untagged Unregistered
Port Frames Frames PVID PRI Tagging Name
---- -------- ------------ ---- --- ------------- ----------------
3 No No 12 0 UntagPvidOnly Port 3
7 No No 12 0 UntagPvidOnly Port 7
# sho log
I 2019-10-21T09:25:43+02:00 23 Fabric Attach: binding activation success (port 7 10012/12)
I 2019-10-21T09:25:43+02:00 22 Fabric Attach: binding activation success (port 3 10012/12)
I 2019-10-21T09:25:43+02:00 21 Fabric Attach: binding activation success (trunk 1 10012/12)
Thanx again and good luck for all the others who will run in the same “finding” 🙂
Cheers - Matthias
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-12-2019 12:01 AM
Thanks for the response Ludico.
Good to know that the XMC Policy Egress has no effect; I think this would be a nice enhancement...
Terrel.
Good to know that the XMC Policy Egress has no effect; I think this would be a nice enhancement...
- I am sending the radius attributes, but the switch says "EAP: Pvid attribute from RADIUS ignored" when I added the FA-VLAN-PVID.
- globally I have "eapol multihost auto-non-eap-mhsa-enable"
- on every port I had "eapol multihost eap-mac-max 32 non-eap-mac-max 32 radius-non-eap-enable mac-max 32", and I added auto-non-eap-mhsa-enable mhsa-no-limit which does not affect it.
- I do have "fa zero-touch-option auto-port-mode-fa-client client-type 6,8" enabled
- I also have "fa zero-touch-client standard switch vlan xxx i-sid xxxxxx" set so it adds the WAP vlan to the port.
Terrel.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-10-2019 07:23 AM
Hi
Some of what you are trying to do is possible. But not everything..
For a start the XMC Policy Egress VLAN tab will have no effect on ERS.
You can however achieve the desired ERS port config by returning these RADIUS attributes to the switch when opening the port:
FA-VLAN-Create=1
FA-VLAN-PVID=10
FA-VLAN-ISID=10:20010
FA-VLAN-ISID=20:20020
FA-VLAN-ISID=30:20030
This would allow NAC to create and assign all of VLANs 10,20,30 on the authorized port, where VLAN 10 is the Untagged VLAN on that port.
However, the above attributes, with multiple VLANs, will only be processed if the port being authorized is in MHSA mode (Multi-Host-Single-Authentication), which requires this config on the ERS, globally:
eapol multihost auto-non-eap-mhsa-enable
And at port level:
eapol multihost auto-non-eap-mhsa-enable mhsa-no-limit
Which is what you need anyway, as you will be getting traffic from lots of other MACs once you've opened the port to the ERS4900 behind.
The trouble is that now you have a different config for that port, which is not what you intended.
There is an FA zero-touch-option which is designed to automatically set the port to MHSA based on detection of an FA client on the port:
fa zero-touch-options auto-port-mode-fa-client client-type
But unfortunately it cannot be set to FA-type = FA-Proxy, which is what the ERS4900 will FA announce itself as. Might be worth an enhancement...
Some of what you are trying to do is possible. But not everything..
For a start the XMC Policy Egress VLAN tab will have no effect on ERS.
You can however achieve the desired ERS port config by returning these RADIUS attributes to the switch when opening the port:
FA-VLAN-Create=1
FA-VLAN-PVID=10
FA-VLAN-ISID=10:20010
FA-VLAN-ISID=20:20020
FA-VLAN-ISID=30:20030
This would allow NAC to create and assign all of VLANs 10,20,30 on the authorized port, where VLAN 10 is the Untagged VLAN on that port.
However, the above attributes, with multiple VLANs, will only be processed if the port being authorized is in MHSA mode (Multi-Host-Single-Authentication), which requires this config on the ERS, globally:
eapol multihost auto-non-eap-mhsa-enable
And at port level:
eapol multihost auto-non-eap-mhsa-enable mhsa-no-limit
Which is what you need anyway, as you will be getting traffic from lots of other MACs once you've opened the port to the ERS4900 behind.
The trouble is that now you have a different config for that port, which is not what you intended.
There is an FA zero-touch-option which is designed to automatically set the port to MHSA based on detection of an FA client on the port:
fa zero-touch-options auto-port-mode-fa-client client-type
But unfortunately it cannot be set to FA-type = FA-Proxy, which is what the ERS4900 will FA announce itself as. Might be worth an enhancement...
