cancel
Showing results for 
Search instead for 
Did you mean: 

PacketFence and Summit switches

PacketFence and Summit switches

Stephen_Stormon
Contributor
Sorry for the amount of detail, but we are trying to setup PacketFence with our Summit switches and I think everything looks fine on the PacketFence side, but I keep getting the following on the test switch:

07/30/2014 13:47:39.42 Slot-1: Authentication failed for Network Login MAC user 3C970EADB66B Mac 3C:97:0E:AD:B6:6B port 5:13

07/30/2014 13:47:39.42 Slot-1: No response from server 172.22.0.3 trying local.

07/30/2014 13:47:39.42 Slot-1: No servers responding

07/30/2014 13:47:36.42 Slot-1: Resend request to Authentication Server address 172.22.0.3 current request count is 2

07/30/2014 13:47:33.41 Slot-1: Resend request to Authentication Server address 172.22.0.3 current request count is 1

What steps can I perform on the switch to verify connectivity? I can ping/trace to the PacketFence server from the switch.

We have PacketFence installed on a server (172.22.0.3). We have three interfaces defined in PacketFence: Management (172.22.0.3/23), Isolation (12.22.2.3/23), and Registration (172.22.38.3/23). Those interfaces are plugged into our core Extreme Networks Summit switch into matching VLANs: “Internal_Appliances” (172.22.0.1/23), “MAC_Isolation” (172.22.2.1/23), and “MAC_Registration” (172.22.38.1/23).

That switch is then uplinked to our desktop switch, where we have created a “MAC_Isolation” (172.22.2.2/23), “MAC_Registration” (172.22.38.2/23), MAC_Temp (no IP), and “Desktops” (172.22.34.2/23). We want the ports to eventually end up in the “Desktops” VLAN after authorization.

The steps below were performed on the Extreme switch to which the desktops are connected, using Port 5:13 as our test.



create vlan MAC_Registration

config vlan "MAC_Registration" tag 369

create vlan MAC_Temp

enable snmp access

configure snmp add trapreceiver 172.22.0.3 community public vr VR-DEFAULT

configure vlan MAC_Registration add ports 5:13 untagged

configure ports 5:13 vlan MAC_Registration lock-learning

disable snmp traps port-up-down ports 5:13

configure radius netlogin primary server 172.22.0.3 1812 client-ip 172.22.32.2 vr VR-Default

configure radius netlogin primary shared-secret (password)

enable radius netlogin

configure netlogin vlan MAC_Temp

enable netlogin mac

configure netlogin dynamic-vlan enable

configure netlogin dynamic-vlan uplink-ports 4:45

configure netlogin mac authentication database-order radius

enable netlogin ports 5:13 mac

configure netlogin ports 5:13 mode port-based-vlans

configure netlogin ports 5:13 no-restart

The results of “show netlogin” and “show radius” on the switch returns the following:

Slot-1 Stack.4 # show netlogin

NetLogin Authentication Mode : web-based DISABLED; 802.1x DISABLED; mac-based ENABLED

NetLogin VLAN : "MAC_Temp"

NetLogin move-fail-action : Deny

NetLogin Client Aging Time : 5 minutes

Dynamic VLAN Creation : Enabled

Dynamic VLAN Uplink Ports : 4:45



------------------------------------------------

Web-based Mode Global Configuration

------------------------------------------------

Base-URL : network-access.com

Default-Redirect-Page : ENABLED; http://www.extremenetworks.com

Logout-privilege : YES

Netlogin Session-Refresh : ENABLED; 3 minute(s) 0 second(s)

Refresh failures allowed : 0

Reauthenticate on refresh: Disabled

Authentication Database : Radius, Local-User database

Proxy Ports : 80(http),443(https)

------------------------------------------------



------------------------------------------------

802.1x Mode Global Configuration

------------------------------------------------

Quiet Period : 60

Supplicant Response Timeout : 30

Re-authentication period : 3600

Max Re-authentications : 3

RADIUS server timeout : 30

EAPOL MPDU version to transmit : v1

Authentication Database : Radius

------------------------------------------------



------------------------------------------------

MAC Mode Global Configuration

------------------------------------------------



MAC Address/Mask Password (encrypted) Port(s)

-------------------- ------------------------------ ------------------------

Default any



Re-authentication period : 0 (Re-authentication disabled)

Authentication Database : Radius

------------------------------------------------



Port: 5:13, Vlan: MAC_Registration, State: Enabled, Authentication: mac-based

Guest Vlan : Disabled

Authentication Failure Vlan : Disabled

Authentication Service-Unavailable Vlan : Disabled



MAC IP address Authenticated Type ReAuth-Timer User

3c:97:0e??b6:6b 0.0.0.0 No MAC 0

-----------------------------------------------

(B) - Client entry Blackholed in FDB





Number of Clients Authenticated : 0



Slot-1 Stack.5 # show radius

Switch Management Radius: disabled

Switch Management Radius server connect time out: 3 seconds

Switch Management Radius Accounting: disabled

Switch Management Radius Accounting server connect time out: 3 seconds

Netlogin Radius: enabled

Netlogin Radius server connect time out: 3 seconds

Netlogin Radius Accounting: disabled

Netlogin Radius Accounting server connect time out: 3 seconds



Primary Netlogin Radius server:

Server name :

IP address : 172.22.0.3

Server IP Port: 1812

Client address: 172.22.38.2 (VR-Default)

Shared secret : 2\q;sJ;@F=8Bjn

Access Requests : 13752 Access Accepts : 0

Access Rejects : 0 Access Challenges : 0

Access Retransmits: 9168 Client timeouts : 4584

Bad authenticators: 0 Unknown types : 0

Round Trip Time : 0



7 REPLIES 7

TylerMarcotte
Extreme Employee
Sorry, I'm not familiar with the way that packet fence operates, however, if it's not routable, then there most likely wouldn't be a way to get a WOL packet to that device unless it's on the same VLAN.

Stephen_Stormon
Contributor
That allows traffic out of the port, but it doesn't help with routing the WOL packet to the device on the port.

TylerMarcotte
Extreme Employee
Try using 'configure netlogin ports allow egress-traffic all_cast'. This will allow all traffic to egress a port while in the unauthenticated state.

Stephen_Stormon
Contributor
We got this working finally, but now we realized that this method won't allow us to Wake On LAN unless someone has another solution.

Basically, devices are put int the "MAC_Temp" VLAN when powered off which appears to be a L2 VLAN that we can't forward anything to. Does anyone have any solutions on how to work around that?

Also, it looks like 802.1x instead of mac based authentication might allow WOL to work?
GTM-P2G8KFN