This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- Re: Authenticating access points with Radius
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Authenticating access points with Radius
Authenticating access points with Radius
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-03-2021 11:02 PM
Hello All,
We are migrating to Extreme AP410C access points on XOS 465 switches and would like to know the proper way to configure the ports via Clearpass Radius. Currently I can have an Extreme access point on an HPE 2930 switch with the following configuration: (this works!)
class ipv4 sit-apnet
match ip any any
exit
policy user sit-ap
class ipv4 sit-apnet action permit
exit
aaa authorization user-role name "AP-Bridge"
policy sit-ap
vlan-id 10
vlan-id-tagged 20,30,40
device
port-mode
exit
exit
The above config gets passed from clearpass to the the HPE switch, everytime an AP is connected to the switch. I understand that I cannot use the same with xos switches. So the question is, how are you guys authenticating APs on XOS and also allow the user traffic on these ports?
I have tried the following, and it seems to put the proper vlans on the port, but user traffic on the user vlans does not seem to get a dhcp address. I remember when we tried to make it work on the HPE switches, the key was setting the port to "port-mode" so it wouldn't try to authenticate on the user vlans (because this is already done on the AP itself).
Extreme-Netlogin-Extended-Vlan = U10;T20;T30;
I hope this makes sense. Thanks for your time.
We are migrating to Extreme AP410C access points on XOS 465 switches and would like to know the proper way to configure the ports via Clearpass Radius. Currently I can have an Extreme access point on an HPE 2930 switch with the following configuration: (this works!)
class ipv4 sit-apnet
match ip any any
exit
policy user sit-ap
class ipv4 sit-apnet action permit
exit
aaa authorization user-role name "AP-Bridge"
policy sit-ap
vlan-id 10
vlan-id-tagged 20,30,40
device
port-mode
exit
exit
The above config gets passed from clearpass to the the HPE switch, everytime an AP is connected to the switch. I understand that I cannot use the same with xos switches. So the question is, how are you guys authenticating APs on XOS and also allow the user traffic on these ports?
I have tried the following, and it seems to put the proper vlans on the port, but user traffic on the user vlans does not seem to get a dhcp address. I remember when we tried to make it work on the HPE switches, the key was setting the port to "port-mode" so it wouldn't try to authenticate on the user vlans (because this is already done on the AP itself).
Extreme-Netlogin-Extended-Vlan = U10;T20;T30;
I hope this makes sense. Thanks for your time.
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-04-2021 09:37 AM
Hey Luis,
There are probably 5 different ways to do this using various combinations of netLogin, Policy, and RADIUS.
Using just that VSA, your switch is authing the AP and applying VLANs, but is also probably trying to authenticate the Wifi Clients themselves which may be why they cannot get DHCP.
A key thing to consider for authenticating APs and Wireless clients: Who, if anyone, is authenticating the wireless clients, the AP itself or the switch where the AP is connected? Do you actually need to authenticate the AP or can you get away with a static configuration on the AP port? Do you actually need to authenticate the WiFi Clients or are you OK with just basic SSID security?
Assuming that you do want to authenticate the AP itself to apply VLANs AND let all client traffic through, the easiest method to explain is using policy and RADIUS Filter-Ids.
Example with an AP on port 1:
1) Enable/configure netLogin, Policy, and RADIUS in EXOS
#Note, you do not need any VLANs on a port to begin with to authenticate a device and apply VLANs via RADIUS
#
# Module aaa configuration.
#
#Use VR-Mgmt if using the OOB mgmt port to get to RADIUS
configure radius 1 server <RADIUS IP> client-ip <Switch IP> vr VR-Default
configure radius 1 shared-secret <RADIUS Secret>
enable radius netlogin
#
# Module policy configuration.
#
#Setup a policy profile for the AP
#PVID-Status Enable PVID 4095 -> All traffic is permitted unless blocked via a policy rule (not shown)
#Untagged-VLAN -> Assign untagged VLAN to port
#Egress-VLANs -> Apply tagged VLANs to port, comma separated, no spaces
#Auth-override enable -> The APs authentication session is applied to all MACs (wifi-clients) learned on this port; Otherwise, you attempt to authenticate all wifi clients as well.
configure policy profile 1 name "AP" pvid-status "enable" pvid 4095 untagged-vlans <Untagged VLAN> egress-vlans <Tagged VLANs> auth-override enable
enable policy
#
# Module netLogin configuration.
#
#Not sure if that AP can authenticate via dot1x, you can auth via either dot1x or MAC.
enable netlogin mac dot1x
enable netlogin ports <AP Port> mac dot1x
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
2) Setup RADIUS to return the Filter-ID Generic RAIDUS attribute that is the policy profile name
#FreeRADIUS User File Example for MAC Authentication:
<AP MAC> Cleartext-Password := "<AP MAC>"
Filter-Id = "AP"
3) When the AP sends it's first frame, the switch will try to authenticate with RADIUS. RADIUS should return the Filter-Id of "AP" at which point that policy profile should be applied to the AP per 'show netlogin session'. VLANs will get added as configured. With auth-override, the APs authentication session is applied to all learned MACs (Wifi Clients) on that port and the switch does not attempt to authenticate them individually.
Hopefully that helps!
