netlogin - Authenticate on predefined tagged vlan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 09:59 PM
Create Date: Mar 5 2013 2:22PM
Hello,
i hope this is the correct location to post my problem.
Im working on 802.1x and having some problems on authenticating our ipphones.
Avaya IP-Phones 96xx need to authenticate via macbased authentication against a freeradius server.
Whats running:
SW: ExtremeXOS v12.4.1.7
HW: summit x450e-48p
Freeradius is currently working with the switch. Dynamic VLAN assignment is also working with dot1x and mac authentication.
BUT:
The authentication-Process is only initiated if the supplicant is not using a predefined vlan itself.
Means:
Port 11 only having netlogin vlan "login" active. If a PC is connected to the port, the authentication process is beeing initiated, the freeradius server is queried and the vlan XYZ is dynamicly assigned untagged. Everthing fine...
Now the Avaya Ip Phone (predefined vlan 489 in the phone cfg) is connected. Nothing happens. Even the switch isnt asking the freeradius to authenticate the phone. Seems linke the switch isnt realizing the phone.
If the predefined vlan in the phone is changed 489->0 and the phone trys to authenticate on the untagged port and everthing is ok. The vlan 489 is assigned tagged using "Extreme-Netlogin-Extended-Vlan"="T489"
But this does not work further on. The phone trys to connect to the native vlan (changed 489->0) while the port was added tagged.
How can be achived to authenticate the phone without changing the predefined phone cfg (vlan=489)?
sh netlogin
NetLogin Authentication Mode : web-based DISABLED; 802.1x ENABLED; mac-based ENABLED
NetLogin VLAN : "login"
NetLogin move-fail-action : Deny
NetLogin Client Aging Time : 5 minutes
Dynamic VLAN Creation : Disabled
Dynamic VLAN Uplink Ports : None
------------------------------------------------
802.1x Mode Global Configuration
------------------------------------------------
Quiet Period : 60
Supplicant Response Timeout : 30
Re-authentication period : 600
Max Re-authentications : 3
RADIUS server timeout : 30
EAPOL MPDU version to transmit : v2
Authentication Database : Radius
------------------------------------------------
Any help would be appreciated
Tobias
(from Tobias2102)
Hello,
i hope this is the correct location to post my problem.
Im working on 802.1x and having some problems on authenticating our ipphones.
Avaya IP-Phones 96xx need to authenticate via macbased authentication against a freeradius server.
Whats running:
SW: ExtremeXOS v12.4.1.7
HW: summit x450e-48p
Freeradius is currently working with the switch. Dynamic VLAN assignment is also working with dot1x and mac authentication.
BUT:
The authentication-Process is only initiated if the supplicant is not using a predefined vlan itself.
Means:
Port 11 only having netlogin vlan "login" active. If a PC is connected to the port, the authentication process is beeing initiated, the freeradius server is queried and the vlan XYZ is dynamicly assigned untagged. Everthing fine...
Now the Avaya Ip Phone (predefined vlan 489 in the phone cfg) is connected. Nothing happens. Even the switch isnt asking the freeradius to authenticate the phone. Seems linke the switch isnt realizing the phone.
If the predefined vlan in the phone is changed 489->0 and the phone trys to authenticate on the untagged port and everthing is ok. The vlan 489 is assigned tagged using "Extreme-Netlogin-Extended-Vlan"="T489"
But this does not work further on. The phone trys to connect to the native vlan (changed 489->0) while the port was added tagged.
How can be achived to authenticate the phone without changing the predefined phone cfg (vlan=489)?
sh netlogin
NetLogin Authentication Mode : web-based DISABLED; 802.1x ENABLED; mac-based ENABLED
NetLogin VLAN : "login"
NetLogin move-fail-action : Deny
NetLogin Client Aging Time : 5 minutes
Dynamic VLAN Creation : Disabled
Dynamic VLAN Uplink Ports : None
------------------------------------------------
802.1x Mode Global Configuration
------------------------------------------------
Quiet Period : 60
Supplicant Response Timeout : 30
Re-authentication period : 600
Max Re-authentications : 3
RADIUS server timeout : 30
EAPOL MPDU version to transmit : v2
Authentication Database : Radius
------------------------------------------------
Any help would be appreciated
Tobias
(from Tobias2102)
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 09:59 PM
Create Date: Mar 7 2013 7:43AM
Hello,
yes thats it. The phones try to access vlan 489 directly and netlogin is enabled globaly and on those ports,too. Devices which do not use a specific vlan getting authenticated successfully.
I supposed there has to be some way to do this.
The only way i got this to work is using mac-based-vlans and to disable the vlan in the phones. So i have to do this that way.
Tanks for your help. (from Tobias2102)
Hello,
yes thats it. The phones try to access vlan 489 directly and netlogin is enabled globaly and on those ports,too. Devices which do not use a specific vlan getting authenticated successfully.
I supposed there has to be some way to do this.
The only way i got this to work is using mac-based-vlans and to disable the vlan in the phones. So i have to do this that way.
Tanks for your help. (from Tobias2102)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 09:59 PM
Create Date: Mar 6 2013 3:51PM
Tobias2102, so I understand your question correctly, you are adding the phones to ports in the 489 VLAN and they're not getting authenticated by netlogin? If that is the case, netlogin will not authenticate those phones. You have to be in no VLANs and your port needs to be enabled by netlogin for netlogin to work on those ports.
I hope that answers your questions. If it doesn't, let us know. (from ethernet)
Tobias2102, so I understand your question correctly, you are adding the phones to ports in the 489 VLAN and they're not getting authenticated by netlogin? If that is the case, netlogin will not authenticate those phones. You have to be in no VLANs and your port needs to be enabled by netlogin for netlogin to work on those ports.
I hope that answers your questions. If it doesn't, let us know. (from ethernet)
