This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

help with 802.1x?

help with 802.1x?

Aaron_M
New Contributor

‎06-08-2016 10:00 PM

Let me preface and say that I am probably going to ask some fundamentally basic questions, and probably misunderstand some things about either how 802.1x works in general, or how Extreme's implementation of 802.1x works, as I did see a post that made mention that Extreme does auth a little differently, as far as port vs MAC auth. So I apologize in advance.

I was wondering if anyone can point me in the right direction as far as possible template configurations, or specific sections of the concepts guide? I looked through the concepts guide, and tried some of it out, and still had issues.

We are a university, and ideally, I'd like to be able to have a port:
  • unauthenticated - guest/student vlan
  • authenticated as a student - guest/student vlan
  • authenticated as staff - staff vlan
  • phone authenticates with MAC (which I still need to figure out how to do) - voip vlan
First off, is the above possible?

I found somethings about using VSAs, but then they reference placing users in groups in AD, and then, if those users authenticate, send back a specific VLAN name, which confuses me a little, probably because we're doing it wrong.

In our environment, each building has its own VLAN, let's say building A is VLAN 1000. In the switch, that VLAN name is "buildingA" (we also have VoIP VLANs as "voice_buildingA"). Likewise, building B is VLAN 1010, building C is VLAN 1030, etc. The first thing I'm wondering is, what happens if the VLAN name the VSA is sending on auth, doesn't exist on that switch? For example. Staff member is part of the 802.1x auth group in AD. They're in buildingA, and RADIUS sends the "buildingA" VLAN name. Cool. What happens if they go to building B? RADIUS would send "buildingA", which doesn't exist on that switch stack. "buildingB" does, but not "buildingA."

Is the VSA portion necessary, or is it an overcomplication, and can everything just be done with NPS?

Sorry if this is confusing. It's just new territory, and I want to try and implement something during the summer so we can smooth it out before students return en masse. As it is right now, students can just come up to administrative buildings or classrooms, and plug right in and get full network access. Sure they need administrative credentials to access resources, but ideally they shouldn't be able to get to a lot of that in the first place.

Thanks in advance (and please be gentle).

0 Kudos
9 REPLIES 9

Aaron_M
New Contributor

‎06-22-2016 11:59 AM

Chad, thanks for your response. I did indeed have it set to port-based instead of MAC based. And I do think I'll need to open a ticket because I'm running into issues with getting MAC auth working with our ShoreTel phones, in addition to the quirkiness I was already experiencing.

And the ports were assigned to VLANs as well. After doing configure delete [vlan] port 17-20, now when I do show vlan ports 17-20 it just shows the nt_login VLAN.

But thank you so much for your assistance thus far! It got me pointed in the right direction.
0 Kudos

Chad_Smith1
Extreme Employee

‎06-21-2016 06:42 PM

Aaron,

You can auth multiple supplicants on the same port. However, if you want to authenticate multiple supplicants on the same port and place them into different VLANs untagged you will need to use mac-based-vlans on the port rather than port-based.

ELRP and Network Login are not currently supported on the same port.

Are your test ports added to any VLAN (show conf vlan)? If so, you are operating in ISP mode and for your implementation you need campus mode. Remove those VLANs from the ports.

I think it would be best at this point to open up a case with GTAC. That way we can start a better dialogue and attack the issues one at a time.

0 Kudos

Aaron_M
New Contributor

‎06-17-2016 08:12 PM

More confused now.

Both my VM and Mac were on the Guest VLAN. I disabled then enabled my VM NIC because that's the only way I've found to get the authentication window to pop up. I entered my credentials, but before I hit OK, I started a packet capture.

I hit OK and...nothing. I was still on the guest VLAN. I checked the packet capture, and this is what I saw:



But there was no Audit Success in the NPS Event Viewer, and I was still on the Guest VLAN.

I did the same process on my Mac and it auto-connected just fine.

Just for kicks I disabled both NICs, and then ran the following command on the switch (out my wireless NIC):

clear netlogin state agent dot1x mac-address WINDOWS-VM-MAC port PORT-NUMBER

Re-enabled both NICs, and both authenticated against NPS and connected to the Staff VLAN!

---
MAC IP address Authenticated Type ReAuth-Timer User
MAC-VM 172.21.200.35 Yes, Radius 802.1x 254 Domain\Username
MAC-Mac 172.21.200.34 Yes, Radius 802.1x 245 Username
---

But now, probably 5 minutes later, show netlogin port PORT-NUMBER shows:

---
MAC IP address Authenticated Type ReAuth-Timer User
MAC-VM 0.0.0.0 No 802.1x 0
MAC-Mac 0.0.0.0 No 802.1x 0
---

*sigh*

Session-Timeout is set for 300 seconds (for now) in the NPS Policy, because I read that value replaces the reauth-period timer on the switch. My assumption was that after 5 minutes, it would reauth again, and everything would reconnect just fine again, but that doesn't appear to be the case. My Windows VM disconnected, and my Mac is still connected.

And again, after typing all that, I saw that the Connection Time on my Mac restarted, and when I checked the switch, both devices re-auth'd.

But now again, after 5 minutes, my Windows VM disconnected, and my Mac is still connected, but this time, 10 minutes have gone by and my Mac is still connected, and my Window VM reconnected about 2 minutes ago.

I feel like I'm am still missing something about how the netlogin works, because clearly I can't roll this out as it is right now. Even if devices eventually reauth, we can't have people drop off the network for 5-10 minutes at a time.

Here's the config, if it helps:

#
# Module netLogin configuration.
#
configure netlogin vlan nt_login
enable netlogin dot1x
configure netlogin authentication protocol-order dot1x mac web-based
enable netlogin ports 17-20 dot1x
enable netlogin dot1x guest-vlan ports 17-20
configure netlogin dot1x ports 17 timers quiet-period 5 reauth-period 30
configure netlogin dot1x ports 18 timers quiet-period 5 reauth-period 30
configure netlogin dot1x ports 19 timers quiet-period 5 reauth-period 30
configure netlogin dot1x ports 20 timers quiet-period 5 reauth-period 30
configure netlogin dot1x guest-vlan UnPriv_dot1x ports 17-20
configure netlogin ports 17 mode port-based-vlans
configure netlogin ports 17 no-restart
configure netlogin ports 18 mode port-based-vlans
configure netlogin ports 18 no-restart
configure netlogin ports 19 mode port-based-vlans
configure netlogin ports 19 no-restart
configure netlogin ports 20 mode port-based-vlans
configure netlogin ports 20 no-restart
enable netlogin authentication failure vlan ports 17-20
enable netlogin authentication service-unavailable vlan ports 17-20
configure netlogin authentication failure vlan UnPriv_dot1x ports 17-20
configure netlogin authentication service-unavailable vlan UnPriv_dot1x ports 17-20

Help and/or thoughts (on Monday...cuz it's Friday) would be greatly appreciated.
0 Kudos

Aaron_M
New Contributor

‎06-17-2016 06:07 PM

Okay, so I've had some time today to play around with this a little and it seems like it's sort of working, but I have one immediate question and probably a couple more later.

Should I be able to auth two different supplicants on the same port? My work computer is a Mac, which I'm running Windows in a VM, and I can auth on the Mac, but if I'm auth'd on the Mac, then I can't auth from the VM. If I let the dot1x window timeout, or click cancel and just wait til I get kicked over to the guest vlan, then both my Mac and my VM will get an IP on the guest vlan.

Use case is obviously if we have an unmanaged switch in someone's office, or if we have a computer chained off a phone that has done MAC auth (which I still need to figure out how to do). But if we can only have one device auth'd on a port at a time (which can't be right), then I'll need to think this through a little more.

Is it possibly because my VM is getting access through my physical interfaces, and since my physical interface is already auth'd...Windows can't auth again? I guess I should try it from the other side - don't auth my Mac, and then see if I can auth my VM...

Also, I read in the User Guide that netlogin and ELRP don't work well together. How accurate is that? We need ELRP, and we've gone without dot1x thus far, but I'd like to implement it if possible. But if we can't have both, that's another thing I'll need to think through.

Thanks in advance, and happy Friday!
0 Kudos
GTM-P2G8KFN