This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

EXOS VSA 211 untagged not working

EXOS VSA 211 untagged not working

Go to solution
netjradm
New Contributor

‎01-30-2024 12:28 AM

Hi,

i'm trying to authenticate client via dot1x (EAP-TLS), RADIUS and netlogin.
Our Radius Server is sending the VSA211 Attribute in the Accept Message but the EXOS Switch does not put the Client in the specified VLAN.

Radius Attribut:
Extreme-Netlogin-Extended-Vlan=U5

Wireshark Capture:

netjradm_0-1706601802201.png

exos debug

netjradm_1-1706601949375.png

when i configure the radius server to send the vlan via Tunnel-Group-ID the end device is moved to the correct vlan.

wireshark capture

netjradm_3-1706603014008.png

netlogin debug

netjradm_2-1706602995720.png

Switch Config: 

configure radius netlogin primary server XXX.XXX.XXX.XXX 1812 client-ip XXX.XXX.XXX.XXX vr VR-Default
configure radius netlogin primary shared-secret encrypted "secret"
configure radius netlogin secondary server XXX.XXX.XXX.XXX 1812 client-ip XXX.XXX.XXX.XXX vr VR-Default
configure radius netlogin secondary shared-secret encrypted "secret"
configure radius dynamic-authorization 1 server XXX.XXX.XXX.XXX client-ip XXX.XXX.XXX.XXX vr VR-Default shared-secret encrypted "secret"
configure radius dynamic-authorization 2 server XXX.XXX.XXX.XXX client-ip XXX.XXX.XXX.XXX vr VR-Default shared-secret encrypted "secret"
enable radius
disable radius mgmt-access
enable radius netlogin
enable radius dynamic-authorization
enable netlogin dot1x
enable netlogin ports 3-8 dot1x

 

 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
OscarK
Extreme Employee

‎01-30-2024 05:15 AM

Have you enabled policy (I assume so as you have dynamic authorization enabled) ?

If so, then EXOS does not honor VSA211, only the attributes mentioned in the userguide for policy and only if you enable maptable response both and vlanauthorization.

 

View solution in original post

3 REPLIES 3

Go to solution
OscarK
Extreme Employee

‎02-06-2024 05:34 AM

yes., but as you can assign vlans through the policy itself (pvid) you don't need VSA 211. Checkout table 114 in the userguide for vsa's supported with OnePolicy enabled.

 Table 114: Supported Access-Accept Attributes for ONEPolicy

0 Kudos

Go to solution
netjradm
New Contributor

‎02-01-2024 06:13 AM

yes i have configured one policy for the ap's ( Tagging multiple vlans and activate auth override)
So the VSA211 only works when there is no policy on the switch?

0 Kudos

Go to solution
OscarK
Extreme Employee

‎01-30-2024 05:15 AM

Have you enabled policy (I assume so as you have dynamic authorization enabled) ?

If so, then EXOS does not honor VSA211, only the attributes mentioned in the userguide for policy and only if you enable maptable response both and vlanauthorization.

 

GTM-P2G8KFN