This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Using NAC to Fabric attach an ERS 4900 to an ERS 5900

Using NAC to Fabric attach an ERS 4900 to an ERS 5900

Go to solution
ExtremeNorth
New Contributor III

‎04-09-2019 11:22 PM

I have ERS5900's running full fabric connect (NNI Ports) back to VSP8400''s, and I would like to use FA to connect another ERS4900 switch to an EAP enabled port. All ports on the 5900 are EAP enabled and controlled with Extreme NAC to auto provision the VLAN:I-SID for phones (port set as untagPvidOnly with ADAC/LLDP) and clients. (port is default untagAll)

When I connect the 4900 switch to a port I can use MAC auth to set the VLAN, but I cannot set the port for tagAll (or untagPvidOnly) so that VLAN's are passed through. In XMC the policy mapping has an option for VLAN Egress: (Tagged/Untagged/Same as Ingress/User Defined) but it does not seem to change the port tagging behavior.

I realize I can just change the port to be authorized and manually enable to port for tagging, but I would like to leave all ports as generic ports so we can attach the switch anywhere on the network.

Thanks in advance.

Terrel Hobbs
Yellowknife, NT
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Ludovico_Steven
Extreme Employee

‎04-10-2019 07:23 AM

Hi
Some of what you are trying to do is possible. But not everything..
For a start the XMC Policy Egress VLAN tab will have no effect on ERS.
You can however achieve the desired ERS port config by returning these RADIUS attributes to the switch when opening the port:

FA-VLAN-Create=1
FA-VLAN-PVID=10
FA-VLAN-ISID=10:20010
FA-VLAN-ISID=20:20020
FA-VLAN-ISID=30:20030

This would allow NAC to create and assign all of VLANs 10,20,30 on the authorized port, where VLAN 10 is the Untagged VLAN on that port.

However, the above attributes, with multiple VLANs, will only be processed if the port being authorized is in MHSA mode (Multi-Host-Single-Authentication), which requires this config on the ERS, globally:

eapol multihost auto-non-eap-mhsa-enable

And at port level:

eapol multihost auto-non-eap-mhsa-enable mhsa-no-limit

Which is what you need anyway, as you will be getting traffic from lots of other MACs once you've opened the port to the ERS4900 behind.
The trouble is that now you have a different config for that port, which is not what you intended.
There is an FA zero-touch-option which is designed to automatically set the port to MHSA based on detection of an FA client on the port:

fa zero-touch-options auto-port-mode-fa-client client-type

But unfortunately it cannot be set to FA-type = FA-Proxy, which is what the ERS4900 will FA announce itself as. Might be worth an enhancement...

View solution in original post

0 Kudos
8 REPLIES 8

Go to solution
mneumann
New Contributor

‎10-21-2019 08:18 AM

Me again,

In the meantime, I figured out that passing the value [FA-Client-Trust=1] unfortunately doesn't get any attention on the switch.

Now the question is, is this not supported or is the attribute wrong?

 

Cheers - Matthias

Senior Consultant Networking Solution
- Controlware GmbH -
Germany
0 Kudos

Go to solution
mneumann
New Contributor

‎10-21-2019 07:42 AM

As Ludo stated, both EAP command (global/port-level) solves the issue you pointed out in this thread.

I had the same experiences and I was looking here for a solution - and again Ludo helped again  🙂

Here are all related information as summary.

Port 1-12 are EAP enabled and want to assign a Vlan:I-SID (10:10012) dynamically once the device is authenticated.

The Radius-Return attribute is based as Ludo mentioned above.

 

 

+-------------------------------------------------------------------------

Global:

eapol multihost auto-non-eap-mhsa-enable

Port level:

eapol multihost auto-non-eap-mhsa-enable mhsa-no-limit

+-------------------------------------------------------------------------

! Embedded ASCII Configuration Generator Script
! Model = Ethernet Routing Switch 4926GTS-PWR+
! Software version = v7.7.0.003
!
! Displaying only parameters different to default
!================================================
enable
configure terminal

!
! *** Fabric Attach ***
!
fa uplink trunk 1
fa timeout 45
fa extended-logging
fa zero-touch-option auto-trusted-mode-fa-client client-type 6-17
fa zero-touch-option auto-pvid-mode-fa-client client-type 6-17
fa zero-touch-option auto-mgmt-vlan-fa-client
fa zero-touch-option auto-client-attach
no fa message-authentication 1-24
! i-sid 10012 vlan 12 ==> created by FA Client


!
! *** EAP ***
!
eapol multihost radius-non-eap-enable
eapol multihost auto-non-eap-mhsa-enable
interface Ethernet ALL
eapol multihost port 1-12 eap-mac-max 4 allow-non-eap-enable non-eap-mac-max 4 radius-non-eap-enable auto-non-eap-mhsa-enable non-eap-phone-enable mac-max 64 mhsa-no-limit
exit
interface Ethernet ALL
eapol port 1-12 status auto re-authentication enable
exit

 

FAP-2#sho vlan interface vids 3,7

******************************************************************************

        Command Execution Time: 2019-10-21 09:31:32 GMT+02:00    UTC time: 2019-10-21 07:31:32

******************************************************************************

Port VLAN VLAN Name         VLAN VLAN Name         VLAN VLAN Name

---- ---- ----------------  ---- ----------------  ---- ----------------

3    12   VLAN #12

---- ---- ----------------  ---- ----------------  ---- ----------------

7    12   VLAN #12

---- ---- ----------------  ---- ----------------  ---- ----------------


FAP-2#sho vlan interface info  3,7

******************************************************************************

        Command Execution Time: 2019-10-21 09:31:37 GMT+02:00    UTC time: 2019-10-21 07:31:37

******************************************************************************

      Filter     Filter

     Untagged Unregistered

Port  Frames     Frames    PVID PRI    Tagging    Name

---- -------- ------------ ---- --- ------------- ----------------

3    No       No           12   0   UntagPvidOnly Port 3

7    No       No           12   0   UntagPvidOnly Port 7

 

# sho log

I    2019-10-21T09:25:43+02:00     23       Fabric Attach: binding activation success (port 7 10012/12)

I    2019-10-21T09:25:43+02:00     22       Fabric Attach: binding activation success (port 3 10012/12)

I    2019-10-21T09:25:43+02:00     21       Fabric Attach: binding activation success (trunk 1 10012/12)

 

 

 

 

Thanx again and good luck for all the others who will run in the same “finding”  🙂


Cheers - Matthias

 

 

 

Senior Consultant Networking Solution
- Controlware GmbH -
Germany
0 Kudos

Go to solution
ExtremeNorth
New Contributor III

‎04-12-2019 12:01 AM

Thanks for the response Ludico.

Good to know that the XMC Policy Egress has no effect; I think this would be a nice enhancement...

  • I am sending the radius attributes, but the switch says "EAP: Pvid attribute from RADIUS ignored" when I added the FA-VLAN-PVID.
  • globally I have "eapol multihost auto-non-eap-mhsa-enable"
  • on every port I had "eapol multihost eap-mac-max 32 non-eap-mac-max 32 radius-non-eap-enable mac-max 32", and I added auto-non-eap-mhsa-enable mhsa-no-limit which does not affect it.
  • I do have "fa zero-touch-option auto-port-mode-fa-client client-type 6,8" enabled
  • I also have "fa zero-touch-client standard switch vlan xxx i-sid xxxxxx" set so it adds the WAP vlan to the port.
When I "show fa elements" the 5900 shows 4900 as Proxy, and the 4900 shows the 5900 as a Server. (since it is setup as a FC switch) I will try sending multiple vlans when the switch authenticates, and will update my findings.

Terrel.
0 Kudos

Go to solution
Ludovico_Steven
Extreme Employee

‎04-10-2019 07:23 AM

Hi
Some of what you are trying to do is possible. But not everything..
For a start the XMC Policy Egress VLAN tab will have no effect on ERS.
You can however achieve the desired ERS port config by returning these RADIUS attributes to the switch when opening the port:

FA-VLAN-Create=1
FA-VLAN-PVID=10
FA-VLAN-ISID=10:20010
FA-VLAN-ISID=20:20020
FA-VLAN-ISID=30:20030

This would allow NAC to create and assign all of VLANs 10,20,30 on the authorized port, where VLAN 10 is the Untagged VLAN on that port.

However, the above attributes, with multiple VLANs, will only be processed if the port being authorized is in MHSA mode (Multi-Host-Single-Authentication), which requires this config on the ERS, globally:

eapol multihost auto-non-eap-mhsa-enable

And at port level:

eapol multihost auto-non-eap-mhsa-enable mhsa-no-limit

Which is what you need anyway, as you will be getting traffic from lots of other MACs once you've opened the port to the ERS4900 behind.
The trouble is that now you have a different config for that port, which is not what you intended.
There is an FA zero-touch-option which is designed to automatically set the port to MHSA based on detection of an FA client on the port:

fa zero-touch-options auto-port-mode-fa-client client-type

But unfortunately it cannot be set to FA-type = FA-Proxy, which is what the ERS4900 will FA announce itself as. Might be worth an enhancement...
0 Kudos
li.common.scroll-to.top
GTM-P2G8KFN