This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
802.1x issues
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-21-2019 11:25 AM
Hey everyone!
Since Microsoft allowed the Hyper-V switches to transfer EAPOL packets I tried to make our switches more secure by implementing 802.1x authentication for the ports.
My idea is the next:
Someone plugs their computer to one of the switch ports:
After the computer (host) successful authentication I can see both VLANs on the port, the host is in the untagged VLAN, has internet, everything works.
The issue is that the VM tries to authenticate, but it fails, and then it doesn't get into the DMZ VLAN, also if I set up a VLAN tag in Hyper-V for the VM (the tag of the DMZ VLAN) it doesn't pick it up.
This is what I see:
SW01.33 # show netlogin dot1x detail
NetLogin Authentication Mode : web-based DISABLED; 802.1x ENABLED; mac-based DISABLED
NetLogin VLAN : "nt_login"
NetLogin move-fail-action : Deny
------------------------------------------------
802.1x Mode Global Configuration
------------------------------------------------
Quiet Period : 1
Supplicant Response Timeout : 5
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 10
EAPOL MPDU version to transmit : v1
------------------------------------------------
Port: 6:19, Vlan: LAN State: Enabled, Authentication: 802.1x
Guest Vlan VM-DMZ: Enabled
Authentication Failure Vlan VM-DMZ: Enabled
Authentication Service-Unavailable Vlan VM-DMZ: Enabled
MAC
MACADDRESS : IP=10.98.8.48 Auth=Yes User=ADUSERNAME
: AuthPAE state=AUTHENTICATED BackAuth state=IDLE
: ReAuth time left=3566 ReAuth count=0
: Quiet time left=0
-----------------------------------------------
Port: 6:19, Vlan: VM-DMZ, State: Enabled, Authentication: 802.1x
Guest Vlan VM-DMZ: Enabled
Authentication Failure Vlan VM-DMZ: Enabled
Authentication Service-Unavailable Vlan VM-DMZ: Enabled
MAC
00:15:5d:49:0b:1a : IP=0.0.0.0 Auth=No User=
: AuthPAE state=AUTHENTICATING BackAuth state=IDLE
: ReAuth time left=0 ReAuth count=4
: Quiet time left=0
10:62:e5:ef:0f:69 : IP=0.0.0.0 Auth=Yes User=ADUSERNAME
: AuthPAE state=AUTHENTICATED BackAuth state=IDLE
: ReAuth time left=3566 ReAuth count=0
: Quiet time left=0
-----------------------------------------------
this is what's in the debug log:
03/21/2019 11:21:36.15 Slot-1: Authentication failed for Network Login 802.1x user Mac 00:15:5D:49:0B:1A port 6:19
03/21/2019 11:21:36.15 Slot-1: Client[6:19, 00:15:5D:49:0B:1A] auth move result: Cant move untagged VLAN
03/21/2019 11:21:36.15 Slot-1: Client[6:19, 00:15:5D:49:0B:1A] authVlans preprocessing result; Cant move untagged VLAN
Do you have any suggestions?
Since Microsoft allowed the Hyper-V switches to transfer EAPOL packets I tried to make our switches more secure by implementing 802.1x authentication for the ports.
My idea is the next:
Someone plugs their computer to one of the switch ports:
- If they are in the necessary AD group (that condition I check in the Windows NPS server) they get authenticated and be put in the necessary untagged VLAN, they can reach the internal network and internet
- If they don't have 802.1x enabled, they get to put into the Guest VLAN, receive a DMZ DHCP IP
- If they have 802.1x enabled but they cannot authenticate, get to put in the the Failure VLAN (similar to Guest VLAN)
After the computer (host) successful authentication I can see both VLANs on the port, the host is in the untagged VLAN, has internet, everything works.
The issue is that the VM tries to authenticate, but it fails, and then it doesn't get into the DMZ VLAN, also if I set up a VLAN tag in Hyper-V for the VM (the tag of the DMZ VLAN) it doesn't pick it up.
This is what I see:
SW01.33 # show netlogin dot1x detail
NetLogin Authentication Mode : web-based DISABLED; 802.1x ENABLED; mac-based DISABLED
NetLogin VLAN : "nt_login"
NetLogin move-fail-action : Deny
------------------------------------------------
802.1x Mode Global Configuration
------------------------------------------------
Quiet Period : 1
Supplicant Response Timeout : 5
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 10
EAPOL MPDU version to transmit : v1
------------------------------------------------
Port: 6:19, Vlan: LAN State: Enabled, Authentication: 802.1x
Guest Vlan VM-DMZ: Enabled
Authentication Failure Vlan VM-DMZ: Enabled
Authentication Service-Unavailable Vlan VM-DMZ: Enabled
MAC
MACADDRESS : IP=10.98.8.48 Auth=Yes User=ADUSERNAME
: AuthPAE state=AUTHENTICATED BackAuth state=IDLE
: ReAuth time left=3566 ReAuth count=0
: Quiet time left=0
-----------------------------------------------
Port: 6:19, Vlan: VM-DMZ, State: Enabled, Authentication: 802.1x
Guest Vlan VM-DMZ: Enabled
Authentication Failure Vlan VM-DMZ: Enabled
Authentication Service-Unavailable Vlan VM-DMZ: Enabled
MAC
00:15:5d:49:0b:1a : IP=0.0.0.0 Auth=No User=
: AuthPAE state=AUTHENTICATING BackAuth state=IDLE
: ReAuth time left=0 ReAuth count=4
: Quiet time left=0
10:62:e5:ef:0f:69 : IP=0.0.0.0 Auth=Yes User=ADUSERNAME
: AuthPAE state=AUTHENTICATED BackAuth state=IDLE
: ReAuth time left=3566 ReAuth count=0
: Quiet time left=0
-----------------------------------------------
this is what's in the debug log:
03/21/2019 11:21:36.15 Slot-1: Authentication failed for Network Login 802.1x user Mac 00:15:5D:49:0B:1A port 6:19
03/21/2019 11:21:36.15 Slot-1: Client[6:19, 00:15:5D:49:0B:1A] auth move result: Cant move untagged VLAN
03/21/2019 11:21:36.15 Slot-1: Client[6:19, 00:15:5D:49:0B:1A] authVlans preprocessing result; Cant move untagged VLAN
Do you have any suggestions?
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-26-2019 09:39 AM
Good morning,
As I understand, your host is authenticated and added to a VLAN untagged.
Your netlogin port is configured to use port-based VLANs. With this, the port can only be untagged in 1 VLAN (the initial host authentication), therefore any subsequent attempt to pass an untagged VSA for ther VM would fail.
You need to change the NetLogin mode to mac-based-vlans. Please see the following KB article: https://gtacknowledge.extremenetworks.com/articles/Q_A/What-is-MAC-based-VLANs-and-port-based-VLANs
In your case the above is set to DISABLED
As I understand, your host is authenticated and added to a VLAN untagged.
Your netlogin port is configured to use port-based VLANs. With this, the port can only be untagged in 1 VLAN (the initial host authentication), therefore any subsequent attempt to pass an untagged VSA for ther VM would fail.
You need to change the NetLogin mode to mac-based-vlans. Please see the following KB article: https://gtacknowledge.extremenetworks.com/articles/Q_A/What-is-MAC-based-VLANs-and-port-based-VLANs
code:
# show netlogin dot1x detail
... MAC-based ENABLED
In your case the above is set to DISABLED
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-28-2019 03:29 PM
Hello again,
I managed to make it work thanks to you, I thought MAC-based meant that you use MACs to authenticate, but this is something else!
Thanks a million man, you saved me!
I managed to make it work thanks to you, I thought MAC-based meant that you use MACs to authenticate, but this is something else!
Thanks a million man, you saved me!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-28-2019 12:41 PM
Hey!
Thanks for your answer.
Okay, so let's say I have a computer that authenticates then get put into the untagged VLAN. I cannot put any VMs into a tagged VLAN without using MAC-based auth?
Thanks for your answer.
Okay, so let's say I have a computer that authenticates then get put into the untagged VLAN. I cannot put any VMs into a tagged VLAN without using MAC-based auth?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-26-2019 09:39 AM
Good morning,
As I understand, your host is authenticated and added to a VLAN untagged.
Your netlogin port is configured to use port-based VLANs. With this, the port can only be untagged in 1 VLAN (the initial host authentication), therefore any subsequent attempt to pass an untagged VSA for ther VM would fail.
You need to change the NetLogin mode to mac-based-vlans. Please see the following KB article: https://gtacknowledge.extremenetworks.com/articles/Q_A/What-is-MAC-based-VLANs-and-port-based-VLANs
In your case the above is set to DISABLED
As I understand, your host is authenticated and added to a VLAN untagged.
Your netlogin port is configured to use port-based VLANs. With this, the port can only be untagged in 1 VLAN (the initial host authentication), therefore any subsequent attempt to pass an untagged VSA for ther VM would fail.
You need to change the NetLogin mode to mac-based-vlans. Please see the following KB article: https://gtacknowledge.extremenetworks.com/articles/Q_A/What-is-MAC-based-VLANs-and-port-based-VLANs
code:
# show netlogin dot1x detail
... MAC-based ENABLED
In your case the above is set to DISABLED
