Extreme Networks

Raul_Carbonari · Monday

Hi,

I am trying to use the OVS service on a Debian 12 installation.

According to the documentation, OVS does not support HMAC authentication for Auto-Attach. If I configure the switch port as FA without authentication, it works; however, when I set it to Auto-Sense, I receive authentication error messages on the port.

While NAC could handle this authentication dynamically, I am trying to set up a scenario where NAC is not required and Auto-Sense itself allows me to automate specific clients (Linux, in this case).

I found the command `auto-sense fa ovs eapol status authorized`; it is supposed to bypass authentication, but it doesn't seem to work.

I am connecting to a 5420 switch running firmware 9.3.2, and there is NAC on the network.

Is this a bug? Has anyone else tried using OVS on Auto-Sense ports?

Raúl Carbonari

MarkusNikulski · Wednesday

Hi Raúl,

FYI, I created an FA test tool you can use against both physical and virtualised Fabric Engine (aka VOSS). http://www.nikulski.net/vfad/
Please note that message authentication prevents unwanted VLAN/I-SID assignment, but it still exposes FA client details to the FA server/Proxy. It means that there is always an ability to recognise the client. If EAPoL is used, the FA client details can be shared with the Radius server by carrying the FA attributes in the request.
Yes, we are still improving the solution that has become more flexible. in each release. Your input is valid, and we have similar ideas too.

Best regards
Markus

Ludovico · Tuesday

Hi

You are mixing up Fabric Attach (FA) message authentication with EAPoL/MAC-based authentication.

Extreme FA devices ship with a default secret FA auth key, but we do not disclose that key outside of Extreme, so the OVS FA client won't have it.

So, what you are trying to do is to disable FA message auth on the auto-sense port, while the command `auto-sense fa ovs eapol status authorized`is simply bypassing NAC RADIUS authentication, which you do not have anyway.

This global command should work, but it will result in FA message auth being disabled on all auto-sense ports, not just the one where your OVS client connects.

(config)#% no auto-sense fa message-authentication

which may not be what you want; in that case, you will need to disable auto-sense and configure the port for FA without messages-authentication.

Alternatively, if OVS allows you to set a custom FA auth key, then you can also configure that key on the switch port, but again auto-sense needs disabling to configure it.

Stay tuned; we are looking to enhance auto-sense in the next releases so that you will be able to automatically either disable FA auth on ports where an specific FA client type (e.g. OVS) is detected, or apply a customer FA auth key.

Best regards

Ludovico

Raul_Carbonari · Tuesday

Ludovico,

OVS implementations do not support HMAC, so LLDP messages will never be sent with authentication.
I am running some tests with a Python script called "faclient.py" that I found on GitHub. It allows me to specify a key, and in my tests, it is working.

It would be great to be able to disable Auto-Sense authentication based on the FA Type—at least for non-Extreme devices—or, alternatively, to define a key per FA Type.

Another interesting feature would be the ability to associate "generic" LLDP messages with a specific FA Type—for instance, for cameras that lack an embedded FA client, or for printers and other types of devices. The list of FA Types on GitHub has been expanded to include more device types.

Regards,
Raúl

Extreme Networks

Open vSwitch on an Auto-Sense port

Open vSwitch on an Auto-Sense port