This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- RE: dot1x authentication
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
dot1x authentication
dot1x authentication
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:56 PM
Create Date: Oct 13 2012 3:04AM
Hello All,
We are in the process of migrating from old EW based switches to XOS based ones at our corporate office. On the old EW switches, I had dot1x (netlogin) working wherein I would have a port manually assigned to a VLAN and netlogin enabled for it. My Radius server would authenticate on the basis of computer/user name and would return no VSA or vlan tag. So once authenticated, the client would belong to the vlan the port was originally assigned to. This I guess is ISP mode operation.
On our new XOS based switches, I see that you need to assign a netlogin vlan to even enable the dot1x feature. Although the extreme documentation is detailed, I am trying to see how to get this to work for my scenario. I have a summit stack of around 4-5 nodes with localized vlans on each node. I dont use a dedicated mgmt vlan but an ip from one of these vlans for switch mgmt. This would be the Radius client ip.
I have a floor migration this weekend https://. Any help would be most appreciated. Tks again. (from Anush_Santhanam)
Hello All,
We are in the process of migrating from old EW based switches to XOS based ones at our corporate office. On the old EW switches, I had dot1x (netlogin) working wherein I would have a port manually assigned to a VLAN and netlogin enabled for it. My Radius server would authenticate on the basis of computer/user name and would return no VSA or vlan tag. So once authenticated, the client would belong to the vlan the port was originally assigned to. This I guess is ISP mode operation.
On our new XOS based switches, I see that you need to assign a netlogin vlan to even enable the dot1x feature. Although the extreme documentation is detailed, I am trying to see how to get this to work for my scenario. I have a summit stack of around 4-5 nodes with localized vlans on each node. I dont use a dedicated mgmt vlan but an ip from one of these vlans for switch mgmt. This would be the Radius client ip.
I have a floor migration this weekend https://. Any help would be most appreciated. Tks again. (from Anush_Santhanam)
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:57 PM
Create Date: Mar 15 2013 1:29PM
Hey Andrew,
How did you do that? Could you please post the commands here if you don't mind?
Does it look something like this:
create stpd stp-test
conf stp-test mode dot1d
conf stp-test add vlan ports 1-24 emistp
conf stp-test ports link-type edge 1-24
conf stp-test ports edge-safeguard enable 1-24 bpdu-restrict
conf stp-test tag
en stp-test
Thanks!
(from Shashank_S Kumar)
Hey Andrew,
How did you do that? Could you please post the commands here if you don't mind?
Does it look something like this:
create stpd stp-test
conf stp-test mode dot1d
conf stp-test add vlan
conf stp-test ports link-type edge 1-24
conf stp-test ports edge-safeguard enable 1-24 bpdu-restrict
conf stp-test tag
en stp-test
Thanks!
(from Shashank_S Kumar)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:57 PM
Create Date: Oct 20 2012 7:40PM
Hello Andrew,
Thank you so much for taking the time. This is an excellent suggestion and one that I have also used. I should have been a bit clearer. Sorry for that. One of the biggest problems in my environment relates to the uncontrolled use of hubs and possibility of loops through them (edge ports). I can see the edge safeguard and bpdu restrict helping with problems that switches can cause. How about hubs. One clarification. When you setup the dummy vlan would you setup the edge ports as tagged for that vlan. The reason i ask this is because the edge ports will be configured for the necessary data/voice vlans anyway. Tks. (from Anush_Santhanam)
Hello Andrew,
Thank you so much for taking the time. This is an excellent suggestion and one that I have also used. I should have been a bit clearer. Sorry for that. One of the biggest problems in my environment relates to the uncontrolled use of hubs and possibility of loops through them (edge ports). I can see the edge safeguard and bpdu restrict helping with problems that switches can cause. How about hubs. One clarification. When you setup the dummy vlan would you setup the edge ports as tagged for that vlan. The reason i ask this is because the edge ports will be configured for the necessary data/voice vlans anyway. Tks. (from Anush_Santhanam)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:57 PM
Create Date: Oct 16 2012 7:49AM
Hi Excalibur,
I recommend using STP on the edge with netlogin. What I have done at some customers is create a dummy vlan only for STP and then add that to all of my edge ports. Then enable BPDU restrict and edge-safeguard on every edge port as well.
I have tested this and it works. I like it better than ELRP. If you're using ELRP and someone creates a loop between 2 switches you run the risk of the uplink port being disabled on one of the switches. STP with BPDU-restrict and edge-safeguard means that the port is administratively disabled once it receives a single BPDU. The admin must then login to the switch and reenable the port.
If you're trying to protect users from creating loops at the edge then mac-limit-learning won't help. That won't prevent loops of unknown unicast packets. You really do need something like STP or ELRP at the edge to prevent loops.
Thanks,
Andrew (from Andrew_McConachie)
Hi Excalibur,
I recommend using STP on the edge with netlogin. What I have done at some customers is create a dummy vlan only for STP and then add that to all of my edge ports. Then enable BPDU restrict and edge-safeguard on every edge port as well.
I have tested this and it works. I like it better than ELRP. If you're using ELRP and someone creates a loop between 2 switches you run the risk of the uplink port being disabled on one of the switches. STP with BPDU-restrict and edge-safeguard means that the port is administratively disabled once it receives a single BPDU. The admin must then login to the switch and reenable the port.
If you're trying to protect users from creating loops at the edge then mac-limit-learning won't help. That won't prevent loops of unknown unicast packets. You really do need something like STP or ELRP at the edge to prevent loops.
Thanks,
Andrew (from Andrew_McConachie)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:57 PM
Create Date: Oct 16 2012 6:02AM
Hello All,
I thankfully managed to get this working. Ideally, you would want your Radius to return the appropriate VSA for placing a port in the necessary VLAN. But as indicated I am only trying to get ISP mode to work so I statically assigned the port to the necessary vlan and added the dot1x authentication feature and it worked.
On a slightly unrelated note, I can see from the documentation that ELRP is not supported with Netlogin. Is this correct. For the edge loop prevention, I am guessing that netlogin would in a way handle that as well and I can possibly set a mac learning limit. Can you please advise. Tks. (from Anush_Santhanam)
Hello All,
I thankfully managed to get this working. Ideally, you would want your Radius to return the appropriate VSA for placing a port in the necessary VLAN. But as indicated I am only trying to get ISP mode to work so I statically assigned the port to the necessary vlan and added the dot1x authentication feature and it worked.
On a slightly unrelated note, I can see from the documentation that ELRP is not supported with Netlogin. Is this correct. For the edge loop prevention, I am guessing that netlogin would in a way handle that as well and I can possibly set a mac learning limit. Can you please advise. Tks. (from Anush_Santhanam)
