This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (Identifi)
- XOS - 802.1X AP but bypass bridge@AP clients
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
XOS - 802.1X AP but bypass bridge@AP clients
XOS - 802.1X AP but bypass bridge@AP clients
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-24-2016 10:08 AM
Hi,
is it possible to authenticate the AP via 802.1X PEAP on the switchport but bypass/disable the authentication for the bridge@AP clients that are connected to the AP.
Could you please tell me the configuration steps on the XOS or other ideas for this scenario.
Thanks,
Ron
is it possible to authenticate the AP via 802.1X PEAP on the switchport but bypass/disable the authentication for the bridge@AP clients that are connected to the AP.
Could you please tell me the configuration steps on the XOS or other ideas for this scenario.
Thanks,
Ron
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-24-2016 03:52 PM
(policy at the switch, that is. It is compatible with policy at the AP.)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-24-2016 03:52 PM
I should have added that the other VLANs will need to be tagged and this is not a configuration that works in conjunction with policy.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-24-2016 03:52 PM
It would be great if you'd write a document/article about it so also other users/customers could use it as a reference how to achieve this function.
Thanks,
Ron
Thanks,
Ron
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-24-2016 03:52 PM
So here is the explanation:
The AP uses netlogin/802.1x to authenticate to a port.
The VSA passed by the radius server contains the name of a UPM profile which then runs.
The UPM profile that runs enables MAC authentication on that port.
Netlogin for mac authentication is configured with a mac-list such that all user/password credentials are passed through to the authentication server (either the radius server or the local authentication database) as the same either (000000000000 / pass or 8000000000000 pass).
The authentication database has an entry for the acceptance of either of these.
When the AP is un-authenticated (e.g. it is disconnected) a UPM profile is run that disables mac authentication for that port.
Here is the configuration which uses the local database for the mac authentication but, obviously, radius for dot1x:
config vlan default del port all
create vlan users
create vlan nl
config netlogin vlan nl
enable netlogin dot1x mac
enable netlogin port 1-48 dot1x
config netlogin add mac-list 80:00:00:00:00:00 1 password pass
config netlogin add mac-list 00:00:00:00:00:00 1 password pass
create netlogin local-user "000000000000" pass
create netlogin local-user "800000000000" pass
config netlogin mac authentication database-order local
config netlogin authentication protocol-order mac dot1x web-based
config radius netlogin primary server 192.168.62.200 client-ip 192.168.62.201 vr vr-mgmt shared-secret radpass
enable radius netlogin
create upm profile apin
enable netlogin port $(EVENT.USER_PORT) mac
.
create upm profile apout
disable netlogin port $(EVENT.USER_PORT) mac
.
config upm event user-authenticate profile "apin" port 1-48
config upm event user-unauthenticate profile "apout" port 1-48
# From the Radius users file:
apuname Auth-Type := EAP, Cleartext-Password := "appass"
Extreme-Security-Profile = "apin QOS=QP1;LOGOFF-PROFILE=apout;",
Extreme-Netlogin-Extended-Vlan = "Uusers"
Complexity is added where you want the B@AP traffic to access other VLANs than the one the AP is in at the switch port. If you do, then you'll need the UPM script to have something like this:
config vlan user1 add port $(EVENT.USER_PORT) tagged
config vlan user2 add port $(EVENT.USER_PORT) tagged
....etc...
and the un-authenticate upm script will need to do the opposite
config vlan user1 delete port $(EVENT.USER_PORT)
config vlan user2 delete port $(EVENT.USER_PORT)
....etc...
Is there any chance that you can test this in a lab?
--Matt
The AP uses netlogin/802.1x to authenticate to a port.
The VSA passed by the radius server contains the name of a UPM profile which then runs.
The UPM profile that runs enables MAC authentication on that port.
Netlogin for mac authentication is configured with a mac-list such that all user/password credentials are passed through to the authentication server (either the radius server or the local authentication database) as the same either (000000000000 / pass or 8000000000000 pass).
The authentication database has an entry for the acceptance of either of these.
When the AP is un-authenticated (e.g. it is disconnected) a UPM profile is run that disables mac authentication for that port.
Here is the configuration which uses the local database for the mac authentication but, obviously, radius for dot1x:
config vlan default del port all
create vlan users
create vlan nl
config netlogin vlan nl
enable netlogin dot1x mac
enable netlogin port 1-48 dot1x
config netlogin add mac-list 80:00:00:00:00:00 1 password pass
config netlogin add mac-list 00:00:00:00:00:00 1 password pass
create netlogin local-user "000000000000" pass
create netlogin local-user "800000000000" pass
config netlogin mac authentication database-order local
config netlogin authentication protocol-order mac dot1x web-based
config radius netlogin primary server 192.168.62.200 client-ip 192.168.62.201 vr vr-mgmt shared-secret radpass
enable radius netlogin
create upm profile apin
enable netlogin port $(EVENT.USER_PORT) mac
.
create upm profile apout
disable netlogin port $(EVENT.USER_PORT) mac
.
config upm event user-authenticate profile "apin" port 1-48
config upm event user-unauthenticate profile "apout" port 1-48
# From the Radius users file:
apuname Auth-Type := EAP, Cleartext-Password := "appass"
Extreme-Security-Profile = "apin QOS=QP1;LOGOFF-PROFILE=apout;",
Extreme-Netlogin-Extended-Vlan = "Uusers"
Complexity is added where you want the B@AP traffic to access other VLANs than the one the AP is in at the switch port. If you do, then you'll need the UPM script to have something like this:
config vlan user1 add port $(EVENT.USER_PORT) tagged
config vlan user2 add port $(EVENT.USER_PORT) tagged
....etc...
and the un-authenticate upm script will need to do the opposite
config vlan user1 delete port $(EVENT.USER_PORT)
config vlan user2 delete port $(EVENT.USER_PORT)
....etc...
Is there any chance that you can test this in a lab?
--Matt
